Professional Documents
Culture Documents
Deployment Fundamentals Vol 6 Deploying Windows 10 Using Microsoft Deployment Toolkit
Deployment Fundamentals Vol 6 Deploying Windows 10 Using Microsoft Deployment Toolkit
Fundamentals — Volume
6
Deploying Windows 10 Using Microsoft
Deployment Toolkit
Mikael Nyström
Johan Arwidmark
Deployment Artist
http://deploymentartist.com
Copyright © 2016 by Deployment Artist
All rights reserved. No part of this book may be reproduced or transmitted in any form or
by any means without the prior written permission of the publisher.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but
no warranty or fitness is implied. The information provided is on an “as is” basis. The
authors and the publisher shall have neither liability nor responsibility to any person or
entity with respect to any loss or damages arising from the information contained in this
book.
Feedback Information
We’d like to hear from you! If you have any comments about how we could improve the
quality of this book, please don’t hesitate to contact us by visiting
http://deploymentfundamentals.com, sending an email to
feedback@deploymentfundamentals.com, or visiting our Facebook site
http://facebook.com/deploymentfundamentals.
Acknowledgments
This book would not exist without the support from our families. Thank you for your
patience and understanding. We love you all.
Thank you, Chris Nelson. Without your tireless edits, this book would never have been
completed.
Thank you, Eddie Hönig, for valuable advice and testing.
Special thanks to Michael Niehaus and Aaron Czechowski for putting up with all of our
questions.
The following music was played (often loudly) during the writing of this book: Nightwish,
Scooter, Linkin Park, Meatloaf, and Green Day. Chris also mentioned that he was listening
to Ron Carter and Herbie Hancock while editing the book.
Finally, we are deeply indebted to our many students, event attendees, and people who’ve
reached out to us via social media. You’ve asked great questions, shared valuable
information, and generally enriched our professional lives. We appreciate you more than
we can express.
About the Authors
Mikael Nyström
Mikael is a Principal Technical Architect at TrueSec, with an extremely broad field of
competence. He works in-depth with System Center suite, virtualization, cloud platforms,
and operating system deployment. Mikael is a very popular instructor, is frequently used
by Microsoft for partner training, and speaks at major conferences such as TechEd,
Microsoft Ignite, MMS, and Techdays. He also spends a lot of time in communities, like
deploymentbunny.com and itproffs.se. Mikael has been awarded Microsoft Most Valuable
Professional (MVP) for more than eleven years.
Johan Arwidmark
Johan Arwidmark is a consultant and all-around geek specializing in Systems
Management and Enterprise Windows Deployment Solutions. Johan also speaks at several
conferences each year, including MMS and TechEd events around the world. He is
actively involved in deployment communities like deploymentresearch.com and
myitforum.com and has been awarded Microsoft Most Valuable Professional (MVP) for
more than eleven years.
Contents
Title Page
Copyright
Acknowledgments
About the Authors
Mikael Nyström
Johan Arwidmark
Introduction
Say Hello (Possibly Again) to ViaMonstra Inc.
Structure of the Book
How to Use This Book
Sample Files
Additional Resources
Topics Not Covered
Chapter 1: Designing ViaMonstra Inc.
ViaMonstra Inc.
New York Site
Hardware
Server Software
Servers
Chapter 2: Deployment Fundamentals
Deployment Scenarios
In-Place Upgrade
New Computer
Computer Refresh
Computer Replace
Deployment Methods
Automation Level
Images
Default Image
Reference Images
Drivers
Finding the Drivers
Driver Scenarios
Volume Activation
Active Directory-Based Activation
Key Management Service (KMS)
Data Deduplication
Chapter 3: Tools of the Trade
Windows Assessment and Deployment Kit (ADK) 10
Deployment Image Servicing and Management (DISM)
Windows System Image Manager (WSIM)
Windows Imaging and Configuration Designer (Windows ICD)
Volume Activation Management Tool (VAMT)
Windows Preinstallation Environment (Windows PE)
Application Compatibility Toolkit (ACT)
Microsoft Assessment and Planning Toolkit (MAP) Toolkit
Security Compliance Manager (SCM)
Windows Deployment Services (WDS)
Microsoft Deployment Toolkit (MDT)
Lite Touch Components
Windows Server Update Services (WSUS)
Microsoft Desktop Optimization Pack (MDOP)
Microsoft Diagnostics and Recovery Toolset (DaRT)
Microsoft User Experience Virtualization (UE-V)
Microsoft Application Virtualization (App-V)
Chapter 4: Windows 10
Windows 10 Editions
Windows 10 Home
Windows 10 Mobile
Windows 10 Pro
Windows 10 Enterprise
Windows 10 Enterprise LTSB
Windows 10 Mobile Enterprise
Windows 10 Education
Windows 10 IoT
Windows as a Service
Windows Store for Business
Windows Update for Business
New or Improved OS Functions
User Interface Changes
Security Enhancements
Hyper-V in Windows 10
Chapter 5: Deploying Office 2016
Using the Office 2016 Deployment Tool
Configuration Files
Download Office 2016
Install Office 2016
Chapter 6: Using PowerShell
Get-Help, Update-Help, and Online Help
Updating the Documentation
Enhanced Online Help
PowerShell ISE
Showing Commands
Verbose Output
Get – Filter – Set!
Get!
Filter!
New and Set
Variables
String Quoting and Escape Sequences
Set-ExecutionPolicy and Get-ExecutionPolicy
Building Blocks to Create Great Scripts
Step One: Doing the “Get”
Step Two: Using Parameters as Input in Your Script
Step Three: Ifs and Buts
Step Four: Reading Data from an XML File Instead of Typing Everything
Step Five: Where Am I?
Running Executables in PowerShell
Using Write-Host (or Not)
Support for Windows PE
Chapter 7: Preparing Your Infrastructure for OS Deployment
Step-by-Step Guide Requirements
Why Do You Need a Legacy Active Directory?
Create the Service Accounts
Create the Sample Users
Create the Sample Groups
Add Sample Users to Sample Groups
Install Volume Activation Services
Configure Active Directory Permissions
Update Your ADMX Files
Create a Separate OU for Windows 10 Machines
Preparation for BitLocker
Preparation for Virtual Secure Mode
Configuring MDT01
Install Windows ADK 10
Install MDT 2013 Update 2
Install ConfigMgr 2012 R2 Toolkit
Add WDS and Data Deduplication to the MDT01 Virtual Machine
Configuring WSUS01
Install Report Viewer 2008 SP1
Install SQL Server 2014 SP1 Express with Tools
Add Windows Server Software Update Services (WSUS)
Configure Windows Server Update Services (WSUS)
Additional Verification of the WSUS Configuration
Chapter 8: Setting Up MDT for Reference Image Builds
Step-by-Step Guide Requirements
The Reference Image
Setting up the MDT Build Lab Deployment Share
Create the MDT Build Lab Deployment Share
Configure the MDT Build Lab Deployment Share
Configure the MDT Build Lab Deployment Share for Updates
Alternative Ways to Add Updates
Adding the Setup Files
Add Windows 10 Enterprise x64 (Full Source)
Adding the Applications
Preparing for Microsoft Office 2016 Click-to-Run Deployment
Import the Applications
Drivers and the Reference Image
Creating the Reference Image Task Sequence
Create a Task Sequence for Windows 10 Enterprise x64
Edit the Windows 10 Task Sequence
Optional Configuration – Adding a Suspend Action
Edit the Unattend.xml File for Windows 10 Enterprise
Review Deployment Share Rules
Update the Deployment Share
The Rules Explained
Chapter 9: Creating Reference Images
Step-by-Step Guide Requirements
Build a Windows 10 Reference Image
Chapter 10: Setting Up MDT for Production Deployment
Step-by-Step Guide Requirements
Setting Up the MDT Production Deployment Share
Create the MDT Production Deployment Share
Configure the MDT Production Deployment Share
Configure the MDT Production Deployment Share for Updates
Adding the Setup Files
Add Windows 10 Enterprise x64 (Custom)
Adding the Applications
Download the Applications
Import the Applications
Preparing the Drivers Repository
Create the Driver Source Structure in the File System
The Logical Driver Structure in MDT
Selection Profiles for Boot Image Drivers
Extract and Import Drivers for the x64 Boot Image
Download, Extract, and Import Drivers for Intel NUC D54250WYK
Download, Extract, and Import Drivers for Surface Pro 3
Download, Extract, and Import Drivers for Dell XPS 13 (9343)
Creating the Deployment Task Sequence
Create a Task Sequence for Windows 10 Enterprise x64
Edit the Windows 10 Enterprise x64 Task Sequence
Configuring the MDT Production Deployment Share
Enable Monitoring
Review the Rules and Add Sample Scripts
Update the Deployment Share
The Rules Explained
Creating the Logs Folder
Creating the MigData folder
Configure Windows Deployment Services (WDS)
Set Default Boot Image
TFTP Configuration
Chapter 11: New Computer Scenario
Step-by-Step Guide Requirements
Deploying the Windows 10 Client
Create a Virtual Machine and Start the Deployment
Use the MDT Monitoring Feature
Use Information in the Event Viewer
Multicast Deployments
Requirements
Set Up MDT for Multicast
Start the Multicast Deployment
Using Boot Media
Creating a Bootable USB Stick
Using Offline Media
Create the Offline Media Selection Profile
Create the Offline Media
Configure the Offline Media
Generate the Offline Media ISO and Deploy Folder
Create a Bootable USB Stick
Chapter 12: In-Place Upgrade Scenario
Step-by-Step Guide Requirements
Upgrading PC0001 to Windows 10
Start the Virtual Machines
Add the Windows 10 Default Image
Create a Windows 10 Upgrade Task Sequence
Edit the Upgrade Windows 10 Enterprise x64 Task Sequence
Initiate the Windows 10 In-Place Upgrade
Chapter 13: Computer Refresh Scenario
Step-by-Step Guide Requirements
Preparing for Computer Refresh
Multi-User Migration
Support for Additional Settings
Create a Custom USMT Template
Add the ViaMonstra Custom XML Template
Refreshing a Windows 7 Client
Upgrade (Refresh) a Windows 7 SP1 Client
Chapter 14: Computer Replace Scenario
Step-by-Step Guide Requirements
Preparing for the Computer Replace
Create a Replace (Backup Only) Task Sequence
Edit the Replace (Backup Only) Task Sequence
Start the Replace (Backup Only) Task Sequence
Deploy the PC0005 Virtual Machine
Chapter 15: Enable Remote Connection
Step-by-Step Guide Requirements
Add DaRT 10 to the Boot Images
Update the Deployment Share
Update the Boot Image in WDS
Deploy the PC0006 Virtual Machine
Chapter 16: Enabling BitLocker
Step-by-Step Guide Requirements
MDT and BitLocker
Add BIOS Configuration Tools
Verify That the TPM Chip Is Enabled and Activated
Configure the Windows 10 Task Sequence to Enable BitLocker
Deploy the PC0007 Machine
Chapter 17: Enabling Dynamic Deployment
Step-by-Step Guide Requirements
Bending the Rules
Assigning Settings
Sample Configurations
UserExit Scripts
Configuring the Rules to Call a UserExit Script
The Setname.vbs UserExit Script
The AliasUserExit.vbs UserExit Script
Running PowerShell via UserExit Scripts
Simulating a Deployment in a Test Environment
Create the Test Environment
Add Properties on the Command Line
Test PowerShell Scripts
Chapter 18: Prestage Computer Information
Step-by-Step Guide Requirements
Selecting a Database
Install SQL Server 2014 SP1 Express with Tools
Configure the Firewall for the SQL Server 2014 Browser Service
Create the Deployment Database
Configure Database Permissions
Create an Entry in the Database
Assigning Applications Using Roles
Create and Assign a Role Entry in the Database
Associate the Role with a Computer in the Database
Verify the Deployment in the Test Environment
Chapter 19: Moving the Computer Object during Deployment
Step-by-Step Guide Requirements
Installing and Configuring the Deployment Webservice
Create a Service Account and Assign Permissions
Configure Active Directory Permissions
Install the Web Server (IIS)
Copy the Deployment Webservice and Enable Only Required Functions
Create an Application Pool for Deployment Webservice
Using the MoveComputerToOU Function
Test the MoveComputerToOU Function
Enable the MoveComputerToOU Function for Deployments
Appendix A: Using the Hydration Kit to Build the PoC Environment
The Base Servers
New York Site Servers (192.168.1.0/24)
The Base Clients
New York Site Clients (192.168.1.0/24)
Internet Access
Setting Up the Hydration Environment
How Does the Hydration Kit Work?
Preparing the Setup Folder
Preparing the Hydration Environment
Deploying the New York Site VMs
Deploy GW01
GW01 Post-Deployment OS Configurations
Deploy DC01
DC01 Post-Deployment OS Configurations
Deploy MDT01
Deploy MDT02
Deploy WSUS01
Deploy PC0001
Deploy PC0002
Appendix B: Building a Distributed Environment
Replicating Deployment Shares
Linked Deployment Shares in MDT
Why DFS-R Is a Better Option
Setting Up DFS-R
Prepare MDT01 and MDT02 for DFS-R
Create the Replication Group Using PowerShell
Configure the Deployment Share
Appendix C: Creating an Office 2016 MSI Setup
Creating the Install - Microsoft Office 2016 Pro Plus - x86 Application
Add the Microsoft Office 2016 Pro Plus x86 Installation Files
Automate the Microsoft Office 2016 Pro Plus x86 Setup
Index
Beyond the Book – Meet the Experts
Live Presentations
Video Training
Live Instructor-led Classes
Twitter
Introduction
Deployment Fundamentals – Volume 6 is the ultimate source for the working IT Pro who
wants to build a real-world deployment solution for Windows 10 based on Microsoft
Deployment Toolkit (MDT) and PowerShell.
This is a HOW TO GET IT DONE book, solely focusing on building deployment
solutions with roots in the real world. In addition to the guidance provided, you also find a
massive script repository in the book sample files.
Say Hello (Possibly Again) to ViaMonstra Inc.
In this book, we build a real-world Windows 10 deployment solution for the fictive
ViaMonstra Inc. organization. ViaMonstra is a midsized company with two locations and
3000 employees. The locations are New York and Stockholm.
BTW, the name ViaMonstra comes from Viam Monstra, Latin, meaning “Show me the
way.” We thought it was a cool name to have.
Code snippets and sample scripts are set in a different typeface like in the following
example.
HideShell=NO
WSUSServer=http://wsus01.corp.viamonstra.com:8530
This book is not intended as a reference volume, covering every technology, acronym, or
command-line switch known to man, but rather is designed to make sure you learn what
you need to know to build a great Windows 10 deployment infrastructure based on
Windows Server 2012 R2.
Sample Files
All sample files used in this book can be downloaded from
http://deploymentfundamentals.com.
Additional Resources
In addition to all tips and tricks provided in this book, you can find extra resources like
articles and video recordings on our blogs, http://deploymentresearch.com and
http://deploymentbunny.com.
Topics Not Covered
This book does not cover VDI solutions or System Center deployment solutions
Chapter 1
Physical Servers
• HV01. Hyper-V Server
• HV02. Hyper-V Server
Virtual Servers
• DC01. Domain Controller, DNS, and DHCP
• GW01. Virtual Router (optional server used for Internet access)
• MDT01. Deployment Server
• MDT02. Deployment Server (optional server used for the distributed environment
topic covered in Appendix B)
• WSUS01. Management Server
Virtual Clients
• PC0001. Windows 7 SP1 Enterprise x64
• PC0002. Windows 7 SP1 Enterprise x64
Note: When writing this book, we used Hyper-V in Windows Server 2012 R2 as our
primary virtual platform, but all the guides also have been tested on VMware, both
VMWare Workstations and ESXi.
Hardware
ViaMonstra Inc. uses server hardware kindly provided by HP (thanks). The two physical
servers (HV01 and HV02) are HP Proliant ML350p Gen8 servers. All servers are
equipped with local attached storage.
Server Software
For the server deployments there are not too many core applications to worry about. The
following list describes ViaMonstra’s software (in addition to Windows Server 2012 R2)
that is used for the servers deployed in this book:
• Windows ADK 10
• BGInfo
• ConfigMgr 2012 R2 Toolkit
• MDT 2013 Update 2
• Visual C++ runtimes (2005–2015)
• Report Viewer 2008 SP1
• SQL Server 2014 Express SP1 with Tools
Servers
To build a replica of our infrastructure and run through the guides in this book, you can
run all virtual machines on a single Hyper-V or VMware host with 16 GB of RAM and at
least 500 GB free disk space.
As you read the book, you learn to install and configure the following servers for the New
York site:
• DC01. A Windows Server 2012 R2 machine, fully patched with the latest security
updates, and configured as Active Directory Domain Controller, DNS Server, and
DHCP Server in the corp.viamonstra.com domain.
• Server name: DC01
• IP Address: 192.168.1.200
• Roles: DNS, DHCP, and Domain Controller
• GW01. A Windows Server 2012 R2 machine, fully patched with the latest security
updates, and configured as a workgroup server. This server is used as an optional
virtual router that enables having all the other virtual machines on an isolated
network, but still having Internet access.
• Server name: GW01
• IP Address: 192.168.1.1
• Roles: Routing and Remote Access (RRAS)
• MDT01. A Windows Server 2012 R2 machine, fully patched with the latest
security updates, and configured as a member server in the corp.viamonstra.com
domain.
• Server name: MDT01
• IP Address: 192.168.1.210
• Roles: File Server, and WDS
• MDT02. An optional Windows Server 2012 R2 machine, fully patched with the
latest security updates, and configured as a member server in the
corp.viamonstra.com domain.
• Server name: MDT02
• IP Address: 192.168.1.211
• Roles: File Server, and WDS
• WSUS01. A Windows Server 2012 R2 machine, fully patched with the latest
security updates, and configured as a member server in the corp.viamonstra.com
domain.
• Server name: WSUS01
• IP Address: 192.168.1.240
• Roles: WSUS
• Software: SQL Server 2014 Express with SP1
Chapter 2
Deployment Fundamentals
When working with Windows 10 deployment, there are a few terms you need to know.
This chapter is a crash course in Microsoft deployment terminology and scenarios.
Deployment Scenarios
The deployment toolset we use, MDT, supports four scenarios for Windows 10
deployments. The scenarios are explained in detail in the next section, but here is quick
summary:
• In-place upgrade. A new deployment scenario, available only for Windows 10. In
this scenario, you simply upgrade an existing Windows 7 or Windows 8/8.1 machine
exactly as it is to Windows 10.
• New computer. A bare metal deployment of a new machine.
• Computer refresh. A reinstall of the same machine (with user-state migration and
an optional full WIM backup).
• Computer replace. A replacement of the old client with a new client (with user-state
migration and an optional full WIM backup).
MDT also supports a special OEM scenario that you can use if you want to prepare an
image in-house and then send it to an OEM for cloning. We do not describe that scenario
in detail, but thought we should at least mention that it exists.
Real World Note: Deciding on using an OEM scenario is not an easy task. Even though
useful in some cases, the OEM scenario really helps only when installing new
computers. You still need to have a solution for refreshing existing machines, and you
still need to create your reference images that you send to the OEM. Also, the
turnaround time for new images is normally not “the next day.” Make sure to dedicate
plenty of time for a pilot project with your hardware vendor if thinking about using the
OEM scenario.
In-Place Upgrade
The in-place upgrade scenario in Windows 10 is a very nice deployment addition when it
can be used. First of all, it upgrades the system as it is, with all applications, data, and
settings. There is no option for selecting what should be included. It’s an all or nothing
scenario. This means that you need to be quite happy with the current platform because
the new Windows 10 machine will be exactly the same as before, except of course for now
running Windows 10.
In addition, while in-place upgrades are nice, there are quite a few scenarios when you
need to use the old-school deployment scenarios (new computer, refresh computer, and
replace computer). Windows 10 in-place upgrades has the following limitations:
• You cannot use a custom reference image with applications installed. You have to
use the default Microsoft image.
Real World Note: Even though you cannot use a custom image with applications, you
can add updates, which is in fact what setup.exe does when dynamic update is enabled.
In that scenario, setup.exe downloads the latest cumulative update, mounts a local copy
of the WIM image, injects that update, and commits the changes. It then continues with
the upgrade process.
If you patch the WIM manually, to avoid setup.exe from trying update the WIM image
twice, you want to disable dynamic updates. But that also disables downloading out-of-
box drivers from WU, so make sure to have a good driver management process for the
upgrade (via MDT, of course).
• You cannot change from BIOS to UEFI (not supported by Microsoft) or do other
disk layout changes.
• You cannot upgrade with (most) third-party disk-encryption software installed.
(Currently, only one McAfee version works.)
• You cannot upgrade when (most) third-party antivirus software is installed.
• You cannot upgrade between architectures (e.g. x86 to x64)
• You cannot change the base operating system language.
• You cannot change to a lower edition (or SKU).
• You cannot upgrade a “boot from VHD” system.
• You cannot upgrade Windows To Go USB sticks.
New Computer
This scenario occurs when you have a blank machine you need to deploy, or an existing
machine you want to wipe and redeploy without caring about any existing data. The setup
starts from a boot media, using PXE, CD/DVD, USB, or ISO images. You also can
generate a full offline media, including all the files needed for a client deployment. The
target can be a physical computer, a virtual machine, a virtual disk running on a physical
computer (Boot from VHD), or a USB stick (Windows To Go).
The deployment process for the new machine scenario is as follows:
1. The setup is started from boot media (PXE, CD/DVD, USB, or ISO).
2. System validations are run.
3. The operating system image is installed.
4. Other application installations follow (as part of the task sequence).
5. The machine is ready to be used.
Computer Refresh
Sometimes called wipe-and-load, this was the new “upgrade” for Windows 7 and
Windows 8.1 deployments. The process is initiated on the running client. User data and
settings are then backed up and restored as part of the deployment process. The target can
be the same as for the new computer scenario except for the USB stick.
The deployment process for the wipe-and-load scenario is as follows:
1. The setup starts on a machine running the operating system that is to be upgraded.
2. System validations are run.
3. User state is saved locally (normally).
4. The operating system image is installed.
5. Other application installations follow.
6. User state is restored.
7. The machine is ready to use.
Real World Note: In Windows 10, there is a similar feature built into the operating
system named “Reset this PC.” The core difference is that the Reset this PC feature does
not restore legacy application settings, only the new Windows 10 applications, and it
actually does not restore the application. It just reserves the application in the Start
menu, and when you select the application, Reset this PC downloads it from the store.
Computer Replace
A computer replace is similar to the refresh scenario. But because we are replacing the
machine, we divide this scenario into two main tasks: backup of the old client, and bare
metal deployment of the new client. As with the refresh scenario, user data and settings
are backed up and restored.
The deployment process for the replace scenario is as follows:
1. The setup starts on a machine running the operating system that is to be upgraded.
2. System validations are run.
3. The user state is saved on the server through a backup job.
4. Then the new computer is deployed as a bare metal deployment.
5. The previous backup is restored on the new computer.
Real World Note: Sometimes the computer replace scenario is used even if you would
like to keep your old hardware. If the machine is using a third-party disk encryption
system, it could be faster to treat the scenario as a replace to avoid decrypting the hard
drive before deployment, or spending time getting refresh scenarios to work. This also
applies when the disk partitioning layout is incorrect (BIOS vs UEFI).
Deployment Methods
In terms of actual deployment methods, nothing has changed with Windows 10. It still
supports network deployment via both PXE and boot media, as well as completely
standalone media. The standalone media can be either DVD or a USB stick.
Automation Level
Microsoft marketing sometimes has interesting ways of naming the deployment solutions.
Names like MDT Lite Touch, or Zero Touch, are nothing but marketing names, and have
nothing to do with the level of automation used. In fact, both solutions can be as manual,
or as automated as you like it to be. For Windows 10 deployment, the solutions from
Microsoft support the following automation levels:
• Wizard driven. Prompting for information during deployment.
• Fully automated. Prestaging information prior to starting the deployment.
• Dynamic. Local and/or backend systems generating information in real-time.
• Hybrid. Also called semi-automation, prestaging some information and prompting
for other.
Images
Starting with Windows Vista, everything in terms of operating system deployment is
image based. To give you an example, if you open the Windows 10 ISO and look in the
Sources folder, you will find a file named install.wim. This is a ready-to-go sysprepped
image of Windows 10. The Windows 10 images also support offline servicing, which
enables you to add updates, language packs, drivers, and so forth.
Default Image
This is simple the default Microsoft image that you download from either Microsoft
Developer Network (MSDN) or Volume Licensing Service Center (VLCS). This image is
used for the in-place upgrade scenario and for building reference images.
Reference Images
With Windows 10, you don’t really have to create a reference image because the image on
the Windows 10 ISO/DVD is ready for deployment. However, you probably still want to
create a reference image of Windows 10 for other reasons, such as speed of deployment
and to add run-time components that other applications need.
In the long term, even with the Windows as a Service model, you will find that Windows
10 will require more and more updates, and using reference images greatly saves time on
deployment. In general, we strongly recommend creating reference images from the
beginning because changing methods along the road takes additional time.
Real World Note: Even though not technically required for automated deployments, a
good reference image makes your deployment easier; it is very well worth spending the
extra hours making it perfect. Put it this way, even the tiniest error in the image cause a
significant impact when you deploy the image to a few thousand machines.
We like the analogy of a house, where the reference image is the foundation. If you don’t
create a strong foundation, it doesn’t matter how great the walls are. The structure will fail
eventually. Ask the engineers who built the leaning tower of Pisa. They probably wished
they had spent some extra time on the foundation.
Thin Image
A thin image is an image without any applications. It may contain some basic settings, like
customizations to the administrator profile or other operating system settings. When
deploying thin images, the applications, drivers, and additional settings are installed or
injected at deployment time. Even if this image type typically contains operating system
components like .NET Framework, Internet Explorer, and updates from Microsoft Update,
it’s still considered a thin image. In general, a thin image is more suitable in a dynamic
environment.
Thick Image
A thick image is an image with most applications included. The primary reason for
creating this image type is deployment speed. Drivers and settings are still kept outside the
image, with the rare exception of the new Windows To Go feature in Windows 10 where
you do want to include drivers. In general, a thick image is more suitable in a static
environment. Educational organizations typically use this type of image.
Real World Note: If you do decide to use applications in the image, make sure that
applications are Sysprep-aware. For example, never, ever, put third-party antivirus
software in the reference image. It’s the most common cause of Sysprep breaking. Other
applications that don’t fit in an image are applications that include unique identifiers.
The main purpose of thicker images is to reduce deployment time. So if you have
applications that require a manual installation, it makes sense to put those applications in
the reference image. It’s better to do it manually one time instead of a few thousand
times.
Hybrid Image
A hybrid image is an image with only some features or applications included, with others
being installed as part of the image deployment process. The primary reason for creating
this image type also is for deployment speed. A hybrid image can sometimes provide you
with the best of both worlds, decreasing deployment time, but providing flexibility. This is
the most commonly used image type, and in this book, you use this image type.
Drivers
When deploying Windows to physical hardware, the setup requires drivers, and the
various deployment solutions from Microsoft have slightly different ways of dealing with
them. However, they do have a few things in common. The first thing is that you need to
find the drivers.
Driver Scenarios
A second thing related to drivers that Microsoft deployment solutions have in common is
that the drivers are stored outside the image in a driver repository and are injected during
deployment. There are three basic scenarios for driver injection that you should know
about:
• Total chaos. The default method for injecting drivers. This method uses PnPID
detection to figure out which drivers should be copied from the deployment server
and injected during the deployment. In general, this method is useful if you have a
very limited set of hardware models.
• Added predictability. This is a variant of the total chaos method, but you add
additional filters to control which drivers are considered for injection. For example, if
you have a driver repository that contains drivers for both Windows 7 and Windows
10, only Windows 10 drivers are considered for Windows 10 deployments and vice
versa.
• Total control. This is a method in which you manually organize drivers in a logical
structure, for example, by operating system, vendor, and model. You then configure
the deployment solution to inject only the correct drivers for the correct model. This
is the scenario we recommend that you use.
Real World Note: The scenario names are not official Microsoft terms. They are our
own.
Volume Activation
Since Windows Vista, all versions of Windows need to be activated. For an enterprise
organization, you have a few different options for doing that. You can activate the
Windows 10 client on-premise via Active Directory-Based Activation or the Key
Management Service (KMS), and off-premise via Microsoft hosted activation services
(online or via telephone).
Real World Note: If running your KMS host on Windows Server 2008 R2, please
upgrade to at least Windows Server 2012 R2. Windows Server 2008 R2 is a really old
operating system.
Data Deduplication
Data deduplication was introduced in Windows Server 2012 and has been improved in
Windows Server 2012 R2. The basic idea is to slice all files into chunks, basically remove
everything that looks the same, and just keep one chunk, thereby saving space. In reality, it
is a bit more complicated. In the R2 release, it is now possible to use data deduplication in
conjunction with Hyper-V, primarily to improve Virtual Desktop Infrastructure (VDI)
solutions. Data deduplication also works with Storage Spaces in clustered environments.
The amount of space you save with data deduplication is in the area of 50–9x percent, but
in the VDI scenario you also benefit significantly from the increased performance.
Loading up a bunch of VDI machines is much faster if run on data-deduplicated spaces.
The total amount of data that needs to be read is much smaller and most of it will be the
same, so it stays in the cache during the expansion of the data.
Chapter 3
Real World Note: Please note that the deployment tools included in the ADK are
nothing but supporting infrastructure and are not to be used as a deployment solution.
We still meet too many customers who tried to build their own deployment solutions
based on the ADK (and former WAIK) tools. Never, ever do that, please…
Note: If you install Windows ADK 10 on a server, you don’t get the Windows
Assessment Toolkit and Windows Assessment Services – Client. But if you install
Windows ADK 10 on a client, you do.
Deployment Image Servicing and Management (DISM)
Unofficially dubbed (by us) as the most difficult acronym to remember, DISM is used for
servicing boot images and operating system images. You also can use PowerShell to call
the DISM functions; for example, you can run this PowerShell command to see all
available DISM functions:
Get-Command -Module Dism
Real World Note: Even though we recommend using the PowerShell cmdlets of DISM
when you can, please note that the dism.exe file has features that are not yet supported
by the PowerShell DISM cmdlets.
DISM supports servicing both online and offline images. An example is installing the
Microsoft .NET Framework 3.5.1 online in Windows 10. “Online” here means starting the
installation in the running operating system, not that you get the software online. The
/LimitAccess switch configures DISM to get the files only from a local source.
Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
Real World Note: While provisioning packages is a very interesting technology, it’s
also a very 1.0 feature. That means there are quite a few bugs, and the integration with
other deployment solutions like MDT or ConfigMgr is nonexistent.
WICD showing the Windows 10 settings for Windows Defender in a provisioning package.
Real World Note: The reports and information in MAP are not only useful for
engineers and technicians. They also can help “convert” technical data into business
language, making the information easy to understand for less technical people.
Real World Note: We don’t consider WDS to be a deployment solution. It’s far too
limited to be called a solution. Rather, it is a critical deployment piece used by other
deployment solutions like MDT. This means that even if you should not use WDS as
your deployment solution, you still need to use it indirectly, as supporting infrastructure.
Without the WDS infrastructure, you will not be able to PXE boot or use multicast when
needed.
Real World Note: “Lite Touch” and “Zero Touch” are just marketing names for the two
solutions that MDT supports, and the naming has nothing to do with the level of
automation. The standalone MDT solution (Lite Touch) can be fully automated if you
want, and the solution integration with ConfigMgr can be configured to prompt for
information.
The MDT admin console, the Deployment Workbench, showing a task sequences.
Deployment Share
One or more shared folders on the server contain all the setup files and scripts needed for
the deployment solution. The folder is the deployment share. It also holds the
configuration files (called rules) that are gathered when a machine is deployed. These
configuration files can reach out to other sources, like a database, external script, or web
server, to get additional settings for the deployment.
Rules
The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT, the
mastermind if you will. The rules control the Windows Deployment Wizard on the client
and, for example, can provide the following settings to the machine being deployed:
• Computer name
• Domain to Join, and OU in Active Directory to hold the computer object
• Whether to enable BitLocker
• Regional settings
• And literally hundreds of additional settings
Later in this chapter, in the “The Rules Explained” section, you learn more details about
the rules.
Boot Images
Boot images are the WinPE-based images that are used to start the deployment. They can
be started from a CD/DVD, an ISO file, a USB device, or over the network using a PXE
server. The boot images connect to the deployment share on the server and start the
deployment.
Operating Systems
Using the Deployment Workbench, you import the operating systems you want to deploy.
In this book, we use Windows 10, but MDT 2013 Update 2 also supports deploying
Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012,
Windows Server 2012 R2, and Windows Server 2016 Technical Preview 4.
You can import either the full source (like the contents of the Windows 10 ISO file) or a
custom image that you have created. The full source operating systems are primarily used
to create reference images and for the new in-place upgrade scenario.
Applications
Using the Deployment Workbench, you also add the applications you want to deploy.
MDT supports virtually every executable Windows file type. It can be a standard .exe file
with command-line switches for an unattended install; it also can be a Windows Installer
(MSI) package, a batch file, a VBScript, or a PowerShell script. In fact, it can be just
about anything that can be executed unattended. MDT also supports the new universal
applications in Windows 10.
Real World Note: You cannot add an application just anywhere in the task sequence. It
needs to be in the state restore phase (or after). We get quite a number of email messages
from people who tried to install the application during the WinPE phase, and that
doesn’t work.
Drivers Repository
You also use the Deployment Workbench to import the drivers your hardware needs into a
repository that lives on the server, not in the image. The default behavior in MDT Lite
Touch is to do a PnP ID scan during the WinPE phase, match that list with the drivers in
the repository, and then download and inject the matching drivers during deployment.
Real World Note: Some devices do need a full application to work, in addition to the
core driver, and these driver applications have to be added as normal applications in
MDT.
Packages
With the Deployment Workbench, you can add any Microsoft packages that you want to
use. The most commonly added packages are language packs, and the Deployment
Workbench Packages node works fine for those. You also can add security and other
updates this way. However, we generally recommend that you use WSUS for operating
system updates because package administration in MDT can be quite time-consuming.
The rare exceptions are critical hotfixes that are not available via WSUS, packages for the
boot image, or any other package that needs to be deployed before the WSUS update
process starts (for example updates to the Windows Update agent).
Task Sequences
Task sequences are the heart and soul of the deployment solution. When creating a task
sequence, you need to select a template. The templates are located in the Templates folder
in the MDT installation directory, and they determine which default actions are present in
the sequence.
You can think of a task sequence as a list of actions that need to be executed in a certain
order. Each action also can have conditions. Some example actions follow:
• Gather. Reads configuration settings from the deployment server
• Format and Partition. Creates the partition(s) and formats them
• Inject Drivers. Finds out which drivers the machine needs and downloads them
from the central drivers repository
• Apply Operating System. Runs DISM to apply the operating system image
• Windows Update. Connects to a WSUS server (or Microsoft Update if no WSUS
server is specified) and updates the machine
Real World Note: We don’t recommend using the Sysprep and Capture task sequence.
The primary reason is that you are supposed to use an automated process when creating
reference images, as described in this book, and the Sysprep and Capture task sequence
also tends to break as soon as the image is slightly different from what the task sequence
expects. You have been warned.
• Standard Client task sequence. The most used task sequence. Used for creating
reference images, as well as for deploying clients in production.
• Standard Client Replace task sequence. Used to run USMT backup for client
deployments and the optional full WIM backup action. Can also be used to do a
secure wipe of a machine that is going to be decommissioned.
• Standard Client Upgrade task sequence. Used to run the in-place upgrade scenario
for Windows 10 (only).
• Custom task sequence. As the name implies, a custom task sequence with only one
default action (one Install Application action).
• Litetouch OEM task sequence. Used to pre-load operating system images on the
computer hard drive. Typically used by computer OEMs, but some enterprise
organizations also use this feature.
• Standard Server task sequence. The default task sequence for deploying operating
system images to servers. The main difference between this template and the
Standard Client task sequence template is that it does not contain any USMT actions
(because USMT is not supported on servers).
• Standard Server Upgrade task sequence. Used to run the in-place upgrade
scenario for Windows Server 2016 (only). Currently the upgrade is not recommend
for Windows Server 2016.
• Post OS Installation task sequence. A task sequence prepared to run actions after
the operating system has been deployed. Very useful for server deployments and
various hydration solutions, but not often used for client deployments.
• Deploy to VHD Client task sequence. Similar to the Standard Client task sequence
template, but also creates a virtual hard disk (VHD) file on the target computer and
deploys the image to the VHD file.
• Deploy to VHD Server task sequence. Same as the Deploy to VHD Client task
sequence, but for servers.
The MDT Lite Touch task sequence templates.
Selection Profiles
Available in the Advanced Configuration node, selection profiles provide a generic way in
MDT to filter content in the Deployment Workbench.
Logging
MDT uses a lot of log files during operating system deployments. By default, the logs are
client side, but by configuring the deployment settings, which is recommended and what
you do in this book, you can have MDT store them on the server, as well.
Monitoring
On the deployment share, you also can enable monitoring. After doing that, you will see
all running deployments in the Monitor node in the Deployment Workbench.
Windows Server Update Services (WSUS)
WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local
repository of Microsoft updates and then distribute them to machines on your network.
WSUS offers approval control and reporting of the update status in your environment.
Windows 10
Windows 10 is a major update to say at least. In this chapter, we highlight the most
important changes.
Windows 10 Editions
There are quite a few editions of Windows 10 available, and in this book, we focus only
on the Windows 10 Pro and Windows 10 Enterprise editions. That being said, there are
other editions of Windows 10 that may be of interest to you.
Windows 10 Home
Windows 10 Home is the consumer-focused desktop edition, meaning probably not for
you. It’s the Windows version your grandmother will buy, well unless she works in IT, too.
Windows 10 Mobile
Then there is the Windows 10 Mobile edition, the version to be used on smaller, mobile,
touch-centric devices like smartphones and small tablets, also called phablets. They are
like big phones, but in general are used for playing videos, checking email, and so forth.
Windows 10 Pro
The Pro version is the desktop edition for PCs, larger tablets, and 2-in-1s. This one may
look like the Windows 10 Home version, but has additional business features, like joining
legacy Active Directory domains.
Windows 10 Enterprise
Windows 10 Enterprise is the version we recommend for organizations. It builds on
Windows 10 Pro, adding more security features and management capabilities. As with
prior versions of Windows, active Software Assurance customers in volume licensing can
upgrade to Windows 10 Enterprise as part of their existing Software Assurance benefits.
In Windows 10 Enterprise, you also get access to features like AppLocker, DirectAccess,
Windows To Go, and more.
Windows 10 Education
Windows 10 Education has the same feature set as Windows 10 Enterprise. It’s just
licensed differently and, as the name implies, targeted for educational organizations.
Windows 10 IoT
This edition is a very small version of Windows 10, intended for devices such as robot
vacuum cleaners, controller devices, or any industrial application where you need a small
and very cheap computer. This edition is used for devices like the $35 dollar Raspberry Pi
2 computer and has a very small footprint.
Windows as a Service
With Windows 10, Microsoft is changing to a Windows as a Service model. What this
means is that Microsoft provides not only security updates on a regular basis, but also new
features every once in a while. These new features releases, commonly referred to as
service releases, will be released 2–3 times per year for the “normal” Windows 10
editions, and less frequently for the Windows 10 Enterprise LTSB version. The exact
frequency for the LTSB editions are not yet known, but from what we’ve heard, you can
expect yearly updates, rather than almost quarterly updates for the other Windows 10
editions.
The new service model also changes how updates are released and tested compared with
previous releases of Windows. Updates for Windows 10 (and Office 2016) are released in
a ring-based approach.
Timeline of Windows as a Service and the numbers for testers for each step.
When using a ring-based approach, as with Windows 10, you get the following timeline
for how updates are tested and released:
1. Updates are created and released internally within Microsoft for initial testing.
2. After the initial, engineering build release, the updates are delivered for a broad
validation, still inside Microsoft. Updates are being tested by tens of thousands of
people at this point.
3. After that, the updates goes out to the people signed up for the Microsoft Insider
Preview program, meaning the updates are now being tested by the millions of
insiders.
4. When the insider tests are done, the updates becomes available for organizations
and users with Windows 10 configured for the current branch (CB), that is, with
system not configured to defer updates.
5. Finally, the updates reach the users and organizations that are following the current
business branch (CBB), that is, have configured their environments to defer updates.
Within the current business branch, organizations typically deploy updates in waves,
or rings, starting with smaller pilots and then expanding after the pilot tests have
been successful.
Real World Note: Because most organizations are using either WSUS or ConfigMgr to
release updates internally, the actual release cycles of the updates are not the same as the
updates actually being installed. When using WSUS or ConfigMgr, an administrator
must still approve the updates before machines get it. Obviously, updates are not
available for approval until released.
Windows Store for Business
In November 2015, the new Windows Store for Business was launched, adding support
for bulk application acquisition as well as a private store. Microsoft also added flexible
distribution options for distributing content and applications to your Windows 10 devices.
The updated Defer Upgrades and Updates settings for Windows Update for Business.
New or Improved OS Functions
Covering all the changes in Windows 10 would require a complete book of its own, but
here is a summary of the most important changes.
Start Menu
You cannot miss the new Start menu in Windows 10, which you can resize and customize.
Like the Windows 8 and 8.1 Start menu, it also can be customized during deployment and
via group policy (Windows 10 Enterprise and Education editions).
Settings
In Windows 10, if you open the old control panel, you see that most settings are gone.
They are instead moved to Settings, or PC Settings as it was in Windows 8.1 and earlier
builds of Windows 10.
You also will notice that many of the configuration wizards have changed, as well. As an
example, if you select to join Windows 10 to a legacy Active Directory domain, you see
that the wizard is quite different from the one in previous versions of Windows. You type
mostly the same information, but you still can’t control much from here. Therefore, we
recommend using PowerShell when you can because it gives you more control, like
selecting what OU in Active Directory to put the machine into.
Settings in Windows 10.
Universal Applications
The Windows 10 platform enables a new class of applications, universal applications.
These are applications intended to be written only once, with one set of business logic, but
still work on the various device form factors that are available. You also find several
universal applications built into Windows 10, like Calculator (except for the Windows 10
Enterprise LTSB edition in which it is still the old calculator).
A universal application looks like any other desktop application in Windows 10, can run in
a window, and is installed and updated via the Microsoft Store.
Cortana
Then, of course, you find Cortana, your built-in Windows 10 personal assistant.
Security Enhancements
Security is a core tenant in Windows 10, with protection against modern security threats.
Quite frankly, there has never been a time during which securing an operating system was
more important than it is now.
Microsoft Passport
Microsoft Passport can be used to replace passwords with strong two-factor authentication
that consists of an enrolled device and Windows Hello (biometric) or PIN.
Windows Hello
Windows Hello is biometric authentication that lets you unlock your Windows 10 device
with your fingerprint, iris, or face. The fine print states that Windows Hello requires
specialized hardware such as Intel’s RealSense 3D camera.
Device Guard
Device Guard works pretty much like AppLocker, but is actually a hardware-assisted
application locker that allows only signed applications to run on a system. This feature is
in Windows Enterprise only and requires UEFI and virtualization support in BIOS (Intel
VT-X or AMD-V).
Also, with Device Guard, the kernel is running in Virtual Secure Mode.
Hyper-V in Windows 10
Another feature in Windows 10 that has improved quite a bit is Hyper-V. You will find a
lot of nice enhancements in this release.
Production Checkpoints
Production checkpoints allow you to easily create “point-in-time” images of a virtual
machine. The change, compared with the old saved states, is that these production
checkpoints can be restored later on in a way that is completely supported for all
production workloads.
For production checkpoints, the Volume Snapshot Service (VSS) is used inside Windows
virtual machines. And if you are using Linux virtual machines, they will flush their file
system buffers to create a file system-consistent checkpoint.
PowerShell Direct
PowerShell Direct is a new feature to Windows Management Framework version 5 that
enables Windows hosts to run PowerShell commands against a Hyper-V guest. Think of
this as PowerShell remoting without having to enable remoting on the guest operating
system. Your guest doesn’t have to configure the firewall to permit remoting. You don’t
even need a network card.
Connected Standby
Also, we did not list it here, but in Windows 10, Hyper-V is compatible with Connected
Standby
When the Hyper-V role is enabled on a computer that uses the Always On/Always
Connected (AOAC) power model, the Connected Standby power state is now available
and works as expected.
Configuration Files
Office 2016 uses two configuration files: one to download Office 2016, and one to install
or configure Office. In the Office 2016 Deployment Tool download, you already get a
sample configuration file, which you need to modify; however, you need to start by
creating a download XML file that is used to download or update the installation source
with the latest version of Office 2016.
Real World Note: You can find a reference for the Click-to-Run configuration.xml file
on TechNet: https://technet.microsoft.com/en-us/library/jj219426.aspx.
The following is a sample download XML file for the x86 edition of Office 2016 (Click-
to-Run). In this example, we changed the branch from the default current branch for
business plan (the default plan for Office 365 Pro Plus subscribers) to current branch.
<Configuration>
<Add SourcePath=“C:\Setup\DL\Microsoft_Office_2016” OfficeClientEdition=“32” Branch=“Current” >
<Product ID=“O365ProPlusRetail”>
<Language ID=“en-us” />
</Product>
<Product ID=“VisioProRetail”>
<Language ID=“en-us” />
</Product>
</Add>
</Configuration>
Download Office 2016
Once you have created the download.xml file, to download the latest version of Office
2016, you simply run the following command:
C:\Setup\DL\Microsoft_Office_2016\Setup.exe /download
C:\Setup\DL\Microsoft_Office_2016\download.xml
After the configuration file is modified, you simply run the following command:
Setup.exe /configure configuration.xml
Chapter 6
Using PowerShell
Throughout the various guides in this book, you use quite a few PowerShell scripts. If you
are new into PowerShell, we highly recommend reading through this chapter which covers
the core PowerShell basics used in this book.
Note: This chapter is not a complete reference guide to PowerShell 5.0 (preview), which
is the version used in Windows 10. It is closer to the “super-quick crash course” that will
get you into a state where you can use PowerShell without banging your head against
the keyboard (or wall) too many times.
Get-Help, Update-Help, and Online Help
The very first PowerShell cmdlet every IT administrator should learn is Get-Help. The
Get-Help cmdlet works exactly like it sounds: it gives you help information about cmdlets.
For example, if you want to know how the Get-WmiObject cmdlet works, you can type:
Get-Help -Name Get-WmiObject
Real World Note: The first time you run Get-Help on a new server, it wants to
download/update the help documentation. To avoid this, you can make a habit of always
running Update-Help when you deploy a new server.
PowerShell ISE
The premier editor for PowerShell is PowerShell ISE. It has IntelliSense, auto-complete,
snippets, help access, the works.
ISE showing IntelliSense.
Showing Commands
Another cool feature in PowerShell is the ability to graphically display cmdlets, or options
for the cmdlets, using the Show-Command cmdlet:
Show-Command
Displaying all commands.
Or why not display the available options for a single cmdlet?
Show-Command New-NetIPaddress
The result of running Show-Command New-NetIPaddress.
Verbose Output
When running commands, you often can get verbose output by simply adding the -
Verbose switch to the command. We say “often” because not all cmdlets give you
additional output. It depends on how the cmdlet is written, but many commands do give
you additional detail.
Get!
Most Get- cmdlets work the same way. If you don’t specify a name, the cmdlet gives you
all items in that location. So here are some examples:
Note: Remember that most server configuration operations require that you run the
PowerShell prompt elevated.
It is also possible to execute multiple Get- cmdlets and pipe them in a chain. Let’s assume
you need to see all MAC addresses in all VMs. Get-VM gets you the VMs, and Get-
NetWorkAdapter gets you information regarding MAC addresses. This gives you the
answer:
Get-VM | Get-VMNetworkAdapter
With the new output format Out-GridView, you get a really good view of the data, and you
can even sort and filter data with it. Add | Out-GridView at the end, and you get this:
Get-VM | Get-VMNetworkAdapter | Out-GridView
Filter!
There are two basic ways to filter data. First, you can use a built-in -Filter function in the
cmdlet (if it has one). In general, if the cmdlet you are using has a -Filter function, we
recommend using it because it is easy and fast. Here is an example with a cmdlet (Get-
WmiObject) that has the -Filter function:
Get-WmiObject –Class:Win32_ComputerSystem -Filter:“Model like ‘%Proliant%’”
• Combining Get- and Set- to configure a VM’s memory settings (the command is
wrapped and should be one line):
Get-VM -Name MDT01 | Set-VM -StaticMemory -MemoryStartupBytes 4GB
Variables
When creating scripts, it is useful to use variables. In PowerShell, you also can use them
interactively, which saves a lot of typing. By using variables, you can put a long Get-
command in one simple variable. The cool thing with variables is that the item you have in
your variable is not just an item; it also is the complete object. You can see that by adding
a trailing “.” to the end of the variable and then using the Tab key to browse through all
the properties behind the object.
In this example, we assigned the $MyVM variable to a VM named MGT01 and then typed
$MyVM + Tab to find all available properties:
$MyVM = Get-VM -VMName MDT01
$MyVM.MemoryStartup
But if you add another word, like “Datacenter” in the following example, then PowerShell
gets confused and does not correctly detect “Datacenter” as belonging together with
“ViaMonstra”. As a result, PowerShell throws an error.
Write-Output -InputObject ViaMonstra Datacenter
To avoid problems with type detection, you can tell PowerShell that ViaMonstra
Datacenter is a string by adding single quotes around it, like this:
Write-Output -InputObject ‘ViaMonstra Datacenter’
Using Escapes
Another technique you can use is the escape, a back quote (`). The escape forces
PowerShell to treat the following character literally, as opposed to interpreting it in any
way. For example:
$DiskType = ‘SSD’
Write-Output -InputObject “Our new $DiskType disk was `$1000”
Note: The Param block needs to be at the beginning of the script to work.
In the next example, you learn to use a few different Param blocks, with different
conditions and validation settings:
Param(
[Parameter(Mandatory=$True,HelpMessage=“First Name”)]
[ValidateLength(3,20)]
$FirstName,
[Parameter(Mandatory=$True,HelpMessage=“Last Name”)]
[ValidateLength(3,20)]
$LastName,
[Parameter(Mandatory=$False,HelpMessage=“Department”)]
[ValidateSet(“Sales”,“Store”,“Management”)]
$Department = “Store”
)
$FirstName
$LastName
$Department
The first parameter asks for the name. It’s a mandatory parameter (required), and the name
needs to be at least 3 characters long but no longer than 20 characters.
The second parameter is the same, but that will be stored in the $LastName variable
instead of in the $FirstName variable.
The third parameter is a bit different. First, it is optional; second, it has a default value;
and third, it allows only Sales, Store, or Management as valid options. Because we do that,
we also can tab choose values on the command line when we run the script, which is very
nice.
[Parameter(Mandatory=$True,HelpMessage=“Last Name”)]
[ValidateLength(3,20)]
$LastName,
[Parameter(Mandatory=$True,HelpMessage=“Department”)]
[ValidateSet(“Sales”,“Store”,“Management”)]
$Department,
[Parameter(Mandatory=$True,HelpMessage=“Department”)]
[ValidateSet(“Sweden”,“Norway”,“Finland”)]
$Country
)
$FirstName
$LastName
$Department
Switch($Country)
{
Sweden
{
Write-Host “Contact Johan for salary discussions”
}
Norway
{
Write-Host “Contact Harold for salary discussions”
}
Finland
{
Write-Host “Contact Linus for salary discussions”
}
Default
{
Write-Host “Epic fail…”
Break
}
}
Step Four: Reading Data from an XML File Instead of Typing
Everything
Even though it’s nice to have all the details on the command line and use Param, you will
soon find that it gets quite boring typing 192.168.1.1 as the default gateway every time
you build a new VM using PowerShell. To avoid that, you can store commonly used
parameters in an XML file and read in the data like this:
$SettingsFile = “.\XMLSettings.xml”
[xml]$Settings = Get-Content $SettingsFile –Verbose
$name = $Settings.Settings.Defaults.Name
Write-Host $Name
Or if the path has spaces in it, you put it in quotes, like this:
“C:\Program Files\Internet Explorer\iexplore.exe”
The problem is that PowerShell won’t like that one bit. Instead you either have to lead in
with an “&” or use Invoke-Item cmdlet. This means that either of these commands works:
& “C:\Program Files\Internet Explorer\iexplore.exe”
You also can use the Start-Process cmdlet. One of the cool things about Start-Process is
that you can use parameters to specify options, such as loading a user profile, starting the
process in a new window, or using alternate credentials. Here is an example that starts
Notepad, maximizes the window, and waits until you close Notepad:
Start-Process Notepad -Wait -WindowStyle Maximized
Another (technical) option is to use Invoke-Expression, but generally you want to avoid
that. Invoke-Expression is useful for some scenarios, such as creating new scripts at
runtime, but for running other executables, we don’t recommend using it.
Using Write-Host (or Not)
During the last months of 2013, there was a somewhat big discussion going on whether
you should use Write-Host, Write-OutPut, Write-Verbose, or any of the other cmdlets
when displaying data in your scripts. It all started when Jeffrey Snover, the original
architect behind PowerShell, issued a statement on his blog
(http://www.jsnover.com/blog). The statement was the following:
Using Write-Host is almost always wrong.
Then the post continued on and explained why it is that way. The shorthand version is that
using Write-Host in scripts interferes with automation, such as when you have multiple
scripts that are used together for a large task.
Jeffrey continued to say that the correct cmdlet to use is Write-Output or Write-Verbose.
Write-Output is useful to convey the results because Write-Output displays the results to
the screen when you run your script by itself; but, it also allows your script to be used in a
pipeline (or foreach loop) and have the results used by other scripts/cmdlets. Write-
Verbose is useful for conveying comforting information to the user.
That being said, we believe that Write-Host is not all bad. It’s faster and simpler to use,
and it can be very useful when creating small scripts not intended for automation, like
temporary scripts, or when you want to generate a user experience (UX) for the user
running the script. Write-Host does have the ability to colorize text.
Support for Windows PE
Okay, we just have to mention support for Windows PE. It’s not really new in Windows 10
because PowerShell has been available for Windows PE (WinPE) since version 4.0, but
still, it’s both cool and useful to have the support for PowerShell in WinPE. For example,
when deploying servers, it’s much easier to add code for dealing with hardware or the
operating system compared with using VBScript. Assume you would like to know more
about the hardware. Just fire up PowerShell and type:
Get-WmiObject –Class:Win32_ComputerSystem
Note: You also need to have downloaded the setup files and book sample files, as
outlined in Appendix A. This files will be used in the various guides in this and later
chapters.
Why Do You Need a Legacy Active Directory?
Active Directory is needed for quite a few things in a modern datacenter; basically, it is
the central repository for identity and access control. Many of the features in Windows 10
require Active Directory, and having Active Directory also helps manage the environment
more easily. A commonly used feature is Group Policy to configure machines and users
centrally, and you can use Active Directory as a way to have a trusted connection when
using remote PowerShell. But there is new functionality in Windows 10 that could lead
you to have Azure Active Directory instead or a hybrid solution. Let’s say that you work
for an education organization and have 1,000 staff users and 10,000 students. In this case,
you could have all student computers joined into Azure Active Directory, managed using
Windows 10’s built-in Mobile Device Management Agent, and the staff being managed by
on-premise resources. It is possible to manage Windows 10 in so many new ways, so
because you managed computers one way “back in the days” does not mean it should still
be that way.
3. Create the MDT Join Account by running the following command (the command
is wrapped and should be one line):
C:\Setup\Scripts\New-VIAServiceAccount.ps1 -AccountName MDT_JD -
AccountDescription “MDT Join Domain Account”
-AccountType ServiceAccount -Password “P@ssw0rd”
Note: Make sure to get the Windows 10 KMS host key named “Windows Srv 2012 R2
DataCtr/Std KMS for Windows 10” on the VLCS site. There is also a Windows 10-only
key that can be installed only on KMS hosts running the Windows 10 operating system.
Note: The KB 3058168 hotfix requires that you have the April 2014 update rollup for
Windows Server 2012 R2 (KB 2919355) installed, but if you followed our guide in
Appendix A, you are already good to go.
Real World Note: Even if your organization has decided on migrating all machine to
Windows 10, you will likely still have to support Windows 7, at least for a little while.
That’s why you have to enable KMS in addition to the Active Directory-Based
Activation.
Configure Active Directory Permissions
The MDT_JD account created earlier is used to join deployed computers to the domain.
For this to work, the MDT_JD account needs to have permissions to the organizational
unit. In these steps, you run a script that assigns the correct permissions:
1. On DC01, log on as VIAMONSTRA\Administrator, and open an elevated
PowerShell prompt.
2. Set the Active Directory permissions by running the following command (the
command is wrapped and should be one line):
C:\Setup\Scripts\Set-VIAOUPermissions.ps1
-Account MDT_JD
-TargetOU “OU=Workstations,OU=ViaMonstra”
Real World Note: Even though we don’t configure BitLocker for any Windows 7
machines in this chapter, we still recommend enabling support for Windows 7. Most
organizations are likely to have a mix of Windows 7, Windows 8/8.1, and Windows 10,
at least for a while.
Real World Note: If you consistently get the error “Windows BitLocker Drive
Encryption Information. The system boot information has changed since BitLocker was
enabled. You must supply a BitLocker recovery password to start this system.” after
encrypting a computer with BitLocker, you might have to relax the various “Configure
TPM platform validation profile” group policies, as well. This depends on what
hardware you are using. For the hardware used for this book, we didn’t need to;
however, we have run into other hardware where this was needed, such as when using
docking stations.
3. The unattended Windows ADK 10 setup runs without a visible UI. But you can
view the setup progress by reviewing the Windows ADK 10 setup logs in
C:\Users\Administrator.VIAMONSTRA\AppData\Local\Temp\adk.
2. Configure WDS by running the following command (the command is wrapped and
should be one line):
C:\Setup\Scripts\Set-VIARoles.ps1 -Role DEPL -Path “E:\RemoteInstall”
Configuring WSUS01
Windows Server Update Services (WSUS) is a critical infrastructure component in any
network. WSUS needs a database and can use either the Windows Internal Database built
into Windows Server 2012 R2 or a SQL Server database (either the full or express
version). ViaMonstra has decided to use the free SQL Server 2014 SP1 Express database
for WSUS.
In this section, you configure the WSUS01 server.
2. Verify that Report Viewer 2008 SP1 was installed on WSUS01 by running the
following command (the command is wrapped and should be one line):
Get-WmiObject –Class Win32_Product -Filter
“Name LIKE ‘%Report%’”
You should get a process called sqlservr. (Yes, it’s named like that.)
Note: Before starting these steps, make sure that WSUS01 can access the Internet. One
very easy way to do that is by running the Test-NetConnection command with no
parameters. The default behavior for that command is to verify access to
internetbeacon.msedge.net.
Verifying Internet access on WSUS01.
1. Install Windows Update Server Services by running the following command from
an elevated PowerShell prompt:
C:\Setup\Scripts\Install-VIARoles.ps1 -Role WSUS
3. Verify that the Windows Server Update Services has started by running the
following command:
Get-Process –Name *WSUS*
2. Configure WSUS for products, classifications, second sync settings and decline
superseded patches by running the following command from an elevated
PowerShell prompt:
C:\Setup\Scripts\Configure-VIAPostWSUSPart2.ps1
3. Create the ViaMonstra Default Approval Rule by running the following command
from an elevated PowerShell prompt:
C:\Setup\Scripts\Configure-VIAPostWSUSPart3.ps1
4. Run the ViaMonstra Default Approval Rule by running the following command
from an elevated PowerShell prompt:
C:\Setup\Scripts\Configure-VIAPostWSUSPart4.ps1
Note: The last script, Configure-VIAPostWSUSPart4.ps1, also initiates the actual
download of the updates, which takes some time.
5. Verify the WSUS configuration for Update Categories by running the following
command from an elevated PowerShell prompt (the command is wrapped and
should be one line):
(Get-WSUSServer -Name WSUS01 -Port
8530).GetSubscription().GetUpdateCategories() |
Select-Object Title
Note: If the Windows Server Update Services Configuration Wizard appears the first
time, just click Cancel. WSUS is (most times) not smart enough to figure out that it is
already configured.
2. Browse through the configuration, and you should see that it is fully configured
now.
The WSUS console populated with updates.
Chapter 8
3. From the Start screen, start the Deployment Workbench and review the MDT
Build Lab deployment share. You should find folders in Operating Systems and in
Task Sequences.
The MDT Build Lab deployment share showing the folders created.
3. Using the Deployment Workbench, in the MDT Build Lab deployment share,
review the Operating Systems node.
Real World Note: In this book, we provide you with VBScript wrappers for all
applications. This is not because you need to use VBScript wrappers to install
applications in MDT (it supports running any type of Windows executable file as an
application), but so you have a consistent way of working with applications, for
supporting applications that require both x86 and x64 components without your having
to create an application bundle, and for getting additional logging and installation
options.
3. On MDT01, open the Deployment Workbench and verify that your applications
have been imported.
Applications have been imported to the Deployment Workbench.
Drivers and the Reference Image
Because we use modern virtual platforms for creating our reference images, we don’t need
to worry about drivers when creating reference images for Windows 10. It does not matter
whether you use Hyper-V or VMware as your virtualization platform, either of them
works. For Hyper-V, use Generation 1 VMs, and for VMware, use the default settings
when creating a VM. To keep the image as clean as possible, we don’t recommend
installing the VMware Tools in the reference image.
Real World Note: In VMware, if you don’t install the VMware Tools and open Device
Manager in your virtual machine, you may see that the virtual machine is missing the
driver for the VMware VMCI Bus. This is nothing to be alarmed about; the Sysprep
process in Windows 10 is very good at cleaning out even undetected devices.
Creating the Reference Image Task Sequence
It is now time to create the build and capture task sequence for your reference image. You
create one reference image based on Windows 10 Enterprise x64.
After creating the task sequence, you configure it to enable patching against the WSUS
server. The Task Sequence Windows Update action supports getting updates directly from
Microsoft Windows Update, but you get a more stable patching if you use a local WSUS
server. WSUS also allows for an easy process of approving the patches that you are
deploying.
Note: The actual OS name may change for Windows 10 versions over time.
Note: Enabling an action is done by going to the Options tab and clearing the Disable
this step check box.
Real World Note: The reason for adding the applications after the Tattoo action but
before Windows update is simply to save time during the deployment. This way we can
add all applications that will upgrade some of the built-in components and therefore
avoiding unnecessary “Windows Updating.”
f. State Restore / Custom Tasks (Pre WU): Add a new Install Roles and
Features action with the following settings:
• Name: Install - Microsoft NET Framework 3.5.1
• Select the operating system for which roles are to be installed:
Windows 10.
• Select the roles and features that should be installed: .NET
Framework 3.5 (includes .NET 2.0 and 3.0) .
Real World Note: Of all things that you do when creating a reference image, this step is
probably the most important one. Many applications need the .NET Framework, and we
strongly recommend having it available in the image. The one thing that makes this
different from other components is that .NET Framework 3.5.1 is not included in the
WIM file; it is installed from the SourcesSxS folder on the media, and that makes it
more difficult to add after the image has been deployed.
Task sequence after adding the Install - Microsoft NET Framework 3.5.1 action.
g. State Restore / Custom Tasks (Pre WU): After the Install - Microsoft NET
Framework 3.5.1 action, add a new Install Application action with the
following settings:
• Name: Install - Microsoft Visual C++ - x86-x64
• Install a Single Application: Install - Microsoft Visual C++ - x86-
x64
h. State Restore / Custom Tasks (Pre WU): After the Install - Microsoft Visual
C++ - x86-x64 action, add a new Install Application action with the
following settings:
• Name: Install - Microsoft Office 365 - x86
• Install a Single Application: Install - Microsoft Office 365 -x86
i. After the Install - Microsoft Office 365 - x86 action, add a new Restart
computer action.
j. State Restore / Imaging / Sysprep Only: Before the Execute Sysprep action,
add a new Run Command Line with the following settings:
• Name: Delete unattend.xml
• Command line: cmd.exe /c del
C:\Windows\Panther\unattend.xml
Real World Note: If using the Sysprep Only feature in the deployment wizard (for
example to build a reference image for System Center 2012 R2 Virtual Machine
Manager, or the Windows Server 2012 R2 VDI solution), you need to make sure MDT
deletes the Unattend.xml file in the image before turning of the machine. Another option
is to create a WIM file, which automatically skips this file, and then simply use a
PowerShell script to apply the WIM to a VHD or VHDX file.
3. Click OK.
Real World Note: You also can use Unattend.xml to enable components in Windows,
like the Telnet Client or client Hyper-V. Normally we prefer to do this via the Install
Roles and Features action, or by using DISM command-line tools, because then we can
enable the component as an application, being dynamic, having conditions, and so forth.
Also, if you are adding packages via Unattend.xml, it’s version-specific, meaning
Unattend.xml must match the exact version of the operating system you are servicing.
Follow these steps to configure Internet Explorer 11 settings in Unattend.xml for the Ref Windows 10 Enterprise x64
task sequence:
Real World Note: As fun as it ever is to debug web pages, the ViaMonstra users really
don’t have to do that.
5. Save the Unattend.xml file, and close Windows System Image Manager (ignore
the validation errors).
6. In the Ref Windows 10 Enterprise x64 Properties window, click OK.
Real World Note: Windows System Image Manager validates the XML differently
from the previous version. It doesn’t like empty values. However, the Unattend.xml file
is never used directly. It is used as a template, so the task sequence updates the
Unattand.xml file before it is used, and you can ignore the error message “There are
validation errors in this answer file. Do you want to continue?”
Review Deployment Share Rules
In MDT, there are always two rule files, the CustomSettings.ini file and the Bootstrap.ini
file. You can add almost any rule to either; however, the Bootstrap.ini file is copied from
the control folder to the boot image, so the boot image needs to be updated every time you
change that file.
For that reason, we recommend adding only a minimal set of rules to Bootstrap.ini, such
as which deployment server and share to connect to, the DEPLOYROOT value. Put the
other rules in CustomSettings.ini because that file is updated immediately when you click
OK (which saves the file). In the following steps, you review the rules that were
configured for the MDT Build Lab deployment share:
1. Using the Deployment Workbench, right-click the MDT Build Lab deployment
share and select Properties.
2. In the Rules tab, review the information.
The server-side rules for the MDT Build Lab deployment share.
3. Click Edit Bootstrap.ini and review the information in the file.
The boot image rules for the MDT Build Lab deployment share.
Real World Note: For security reasons, you normally don’t add the password to the
Bootstrap.ini file; however, because this deployment share is for creating reference
image builds only and should not be published to the production network, we think it is
okay to do it here.
4. In the Windows PE tab, in the Platform drop-down list, make sure x86 is selected
and then review the current settings. Then click Cancel.
The MDT Build Lab settings created by the PowerShell script used to create the
deployment share.
Real World Note: One of MDT’s features is that the x86 boot image can deploy both
x86 and x64 operating systems (except for UEFI hardware). However, you still need to
have both architectures available because the x64 boot image is still being used during
computer refresh and other scenarios that are staging WinPE on the hard drive.
Real World Note: Because you can use an x86 boot image for both x86 and x64
operating systems (reference images only), the MDT Build Lab deployment was
configured not to create an ISO file for the x64 architecture.
[Default]
DeployRoot=\MDT01\MDTBuildLab$
UserDomain=VIAMONSTRA
UserID=MDT_BA
UserPassword=P@ssw0rd
SkipBDDWelcome=YES
So, what are these settings?
• Priority. This determines in what order different sections are read. This Bootstrap.ini
has only one section, named [Default].
• DeployRoot. This is the location of the deployment share. Normally, this value is set
by MDT, but you need to update the DeployRoot value if you move to another server
or other share. If you don’t specify a value, the Windows Deployment Wizard
prompts you for a location.
• UserDomain, UserID, and UserPassword. These values are used for automatic
logon to the deployment share. Again, if they are not specified, the wizard prompts
you.
Real World Note: Caution is advised. These values are stored in clear text on the boot
image. Use them only for the MDT Build Lab deployment share and not for the MDT
Production deployment share.
Real World Note: All properties beginning with “Skip” control only whether to display
that pane in the Windows Deployment Wizard. Most of the panes also require you to
actually set one or more values.
[Default]
_SMSTSORGNAME=ViaMonstra
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
AdminPassword=P@ssw0rd
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
;HideShell=YES
FinishAction=SHUTDOWN
WSUSServer=http://wsus01.corp.viamonstra.com:8530
ApplyGPOPack=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
Real World Note: If you want to learn more about the HideShell behavior in Windows
10 deployments, please read this post by Michael Niehaus:
http://blogs.technet.com/b/mniehaus/archive/2015/08/24/windows-10-mdt-2013-update-
1-and-hideshell.aspx.
Real World Note: The easiest way to find out the current time zone name on a
Windows 10 machine is to run tzutil /g in a PowerShell prompt (or command prompt).
You can also run tzutil /l to get a listing of all available time zone names.
• WSUSServer. Specifies which WSUS server (and port if needed) to use during the
deployment.
• SLSHARE. Instructs MDT to copy the log files to a server share if something goes
wrong during deployment, or when a deployment is successfully completed.
• SkipAdminPassword. Skips the wizard pane that asks for the Administrator
password.
• SkipProductKey. Skips the pane that asks for the product key.
• SkipComputerName. Skips the Computer Name pane.
• SkipDomainMemberShip. Skips the Domain Membership pane. If set to Yes, you
need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin,
DomainAdminDomain, and DomainAdminPassword properties.
• SkipUserData. Skips the pane for user state migration.
• SkipLocaleSelection. Skips the pane for selecting language and keyboard settings.
• SkipTimeZone. Skips the pane for setting the time zone.
• SkipApplications. Skips the Application pane.
• SkipBitLocker. Skips the BitLocker pane.
• SkipSummary. Skips the initial Windows Deployment Wizard summary pane.
• SkipRoles. Skips the Install Roles and Features pane.
• SkipCapture. Skips the Capture pane.
• SkipFinalSummary. Skips the final Windows Deployment Wizard summary.
Because you use FinishAction=Shutdown, you don’t want the wizard to stop in the
end so that you need to click OK before the machine shuts down.
Chapter 9
The VMs used in this chapter (the REFW10X64-001 VM is created in this chapter).
Build a Windows 10 Reference Image
1. Copy the E:\MDTBuildLab\Boot\MDT Build Lab x86.iso on MDT01 to
C:\Setup\ISO on the host PC.
Real World Note: In MDT, when building reference images, you can use the x86 boot
image to deploy both x86 and x64 operating system images. That’s why you use the x86
boot image in this guide instead of the x64 boot image.
e. Network: Internal
f. Hard disk: 60 GB (dynamic disk)
g. Image file: C:\Setup\ISO\MDT Build Lab x86.iso
3. Create a checkpoint (snapshot) of the REFW10X64-001 virtual machine, and name
it Clean with MDT Build Lab x86 ISO.
Real World Note: Taking a checkpoint is really useful if you need to restart the process
and want to make sure you can start clean.
4. Start the REFW10X64-001 virtual machine, and after booting into WinPE,
complete the Windows Deployment Wizard using the following setting:
a. Select a task sequence to execute on this computer: Ref Windows 10
Enterprise x64
b. Specify whether to capture an image: Capture an image of this reference
computer
Location: \MDT01\MDTBuildLab$\Captures
c. File name: REFW10X64-001.wim
The setup now starts and does the following:
a. Installs the Windows 10 Enterprise operating system
b. Installs the added applications, roles, and features
c. Updates the operating system via your local WSUS server
d. Stages WinPE on the local disk
e. Runs Sysprep and reboots into WinPE
f. Captures the installation to a WIM file
g. Turns off the virtual machine
After some time, you will have a fully patched, sysprepped image of Windows 10
Enterprise x64 in the E:\MDTBuildLab\Captures folder on your deployment server. The
filename is REFW10X64-001.wim.
3. From the Start screen, start the Deployment Workbench and review the MDT
Production deployment share. You should find folders in the Operating Systems,
Out-of-Box Drivers, and Task Sequences folders. Close the Deployment
Workbench after reviewing the configuration.
The MDT Production deployment share showing the folders created.
Real World Note: There also are MSI versions of Adobe Reader DC available, but they
are typically one version behind, at least for a while.
Oracle Java 8
Oracle Java 8 is a Java runtime used for Java-based applications. You can download Java
from http://www.java.com/en/download/windows_offline.jsp.
Note: If you are using a newer version of Java (very likely), you also need to update the
Install-OracleJava8.wsf script with the new file name.
3. Import the applications by opening an elevated PowerShell prompt and running the
following command (the command is wrapped and should be one line):
C:\Setup\Scripts\Import-MDTApps.ps1 -Path “E:\MDTProduction” -
ImportFolder “C:\Setup\MDTProduction\Applications”
4. On MDT01, open the Deployment Workbench and verify that your applications
has been imported.
Real World Note: Most of the drivers will be downloaded and extracted using each
vendor’s tool, but some of the drivers have to be installed on a machine with matching
hardware. Then you get the actual driver from that installation directory. But don’t
worry, as you will learn all the gory details shortly. J
Real World Note: Even if you are not going to use both the x86 and x64 boot images in
this book, we still recommend that you add the support structure for it because you
might need it in the future.
The E:\Drivers structure on MDT01.
Note: If you had Deployment Workbench open when running the Set-
VIAMDTProductionDS.ps1 script, you won’t see the changes until you close and
reopen Deployment Workbench.
9. Click Cancel.
The MDT Production deployment share.
Real World Note: Use WinRAR or any other extractor. Even if the PROWinx64.exe
file supports a switch for silent extraction (/s), it will fail unless you run it on an
operating system with the same architecture. Our favorite extractors are WinRAR and 7-
Zip.
2. Using File Explorer, create the E:\Drivers\WinPE x64\Intel PRO1000 folder.
3. Copy the content of the C:\Tmp\PROWinx64\PRO1000\Winx64\NDIS65 folder
to E:\Drivers\WinPE x64\Intel PRO1000.
Real World Note: Even if it is possible to import the entire folder, it is a very bad idea.
You will end up with hundreds of drivers that you never use, every deployment will
copy all drivers in the folder down to the machine, and you will have a massive number
of drivers to deal with for a long time. The saying “less is more” really applies here.
Note: It’s not required to extract the CAB file. MDT actually knows how to import the
CAB file content as it is, but extracting it makes it easier to review the content and do
some house-cleaning if needed.
2. Using the Deployment Workbench, navigate to MDT Production / Out-Of-Box
Drivers / Windows 10 x64.
3. Right-click XPS 13 9343, select Import Drivers, and use the following setting for
the Import Driver wizard:
Driver source directory: E:\Drivers\Windows 10 x64\XPS 13 9343
Enable Monitoring
In these steps, you enable monitoring on the MDT Production deployment share:
1. On MDT01, right-click the MDT Production deployment share and select
Properties.
2. In the Monitoring tab, select the Enable monitoring for this deployment share
check box.
3. Click OK.
Real World Note: You can have only one deployment share configured for monitoring;
however, it is possible to add a property manually to all other deployment shares. If you
want to have monitoring enabled for, let’s say, the MDT Build Share deployment share,
just add the following to the rules: EventService=http://MDT01:9800.
Real World Note: Because you are going to use PXE later to deploy the machines, you
don’t really need the ISO file; however, we recommend creating ISO files because they
are very useful when troubleshooting deployments and for quick tests.
6. In the Drivers and Patches sub-tab, select the WinPE x86 selection profile and
verify the following settings.
• Selection Profile: WinPE x86
• Include all drivers from the selection profile: Selected
7. In the Drivers and Patches sub-tab, select the WinPE x64 selection profile and
verify the following settings.
• Selection Profile: WinPE x64
• Include all drivers from the selection profile: Selected
8. Click Cancel.
The Windows PE General sub-tab for the x64 boot image.
[Default]
DeployRoot=\MDT01\MDTProduction$
UserDomain=VIAMONSTRA
UserID=MDT_BA
SkipBDDWelcome=YES
[ByIsOnBattery]
SubSection=ByIsOnBattery-%IsOnBattery%
[ByIsOnBattery-True]
OSInstall=NO
[HardwareInfo]
UserExit=AliasUserExit.vbs
ModelAlias=#SetModelAlias()#
[Default]
_SMSTSORGNAME=ViaMonstra
OSInstall=Y
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=P@ssw0rd
JoinDomain=corp.viamonstra.com
DomainAdmin=MDT_JD
DomainAdminDomain=VIAMONSTRA
StagingOU=ou=Staging,ou=Internal IT,ou=ViaMonstra,dc=corp,
dc=viamonstra,dc=com
MachineObjectOU=ou=Workstations,ou=viamonstra,dc=corp,
dc=viamonstra,dc=com
SLShare=\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:VIAMONSTRA\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=NO
ApplyGPOPack=NO
FinishAction=REBOOT
;WSUSServer=http://wsus01.corp.viamonstra.com:8530
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=YES
[MoveComputerToOU]
WebService=http://MDT01/DeploymentWebService/ad.asmx/MoveComputerToOU
Parameters=OSDComputerName,MachineObjectOU
OSDComputerName=ComputerName
MachineObjectOU=OUPath
In Chapter 8, you learned the basics about the CustomSettings.ini properties. Here is a list
the additional properties that we use in the MDT Production rules file:
• ByIsOnBattery. This section is used to abort the deployment if running on battery.
• HardwareInfo. This section is used to call the AliasUserExit.vbs script that assigns
friendly names to make and model alias. These values are in turn being used to assign
drivers from the driver repository.
• JoinDomain. This indicates which domain to join.
• DomainAdmin. This identifies which account to use when joining the machine to
the domain.
• DomainAdminDomain. This is the domain for the join domain account.
• DomainAdminPassword. This is the password for the join domain account.
• MachineObjectOU. This specifies into which OU to add the computer account.
• StagingOU. This custom property is used for the move computer scenario in
Chapter 19.
• ScanStateArgs. These are the arguments for the USMT Scanstate command.
• USMTMigFiles(*). This is the list of USMT templates (controlling what to back up
and restore).
• MoveComputerToOU. This custom section is used for the move computer scenario
in Chapter 19.
Real World Note: You can also automate “Press Enter” or “Press F12” (depending on
BIOS or UEFI) during deployment by changing the boot properties to always continue
the PXE boot. However, that PXE setting might increase the chance for an “Oops, I
reloaded my machine” situation because it will force a machine that is configured to
PXE boot first in the BIOS boot order to start the deployment. Setting boot properties to
always continue the PXE boot works best when you don’t have machines that are
configured to boot on the network device in the first place and should be used with
caution. It also is possible to prestage the machines in Active Directory using the WDS
console or wdsutil.exe.
TFTP Configuration
In some cases, you need to modify TFTP Maximum Block Size settings for performance
tuning reasons, especially when PXE traffic travels through routers and such. In the
previous version of WDS, it was possible to change that, but the method of doing it was
far from friendly (editing the registry). Changes in Windows Server 2012 and Windows
Server 2012 R2 make it easy—just click the TFTP tab in the WDS UI and modify the
settings for Maximum Block Size, and you are done.
Real World Note: Normally you start by setting the block size to 16384 (decimal) and
then test whether it works on your hardware. If it doesn’t, try 8192 first, then 4096, and
so forth.
If you are running your PXE server in a VMware environment, this setting might make
the deployment process slower, test and verify before using this setting in production.
Also, there are a few new features related to TFTP performance:
• Scalable buffer management. Allows buffering an entire file instead of a fixed size
buffer for each client, allowing different sessions to read from the same shared buffer.
• Scalable port management. Provides the ability to service clients with shared UDP
port allocation, increasing scalability.
• Variable-size transmission window (Variable Windows Extension). Improves
TFTP performance by allowing the client and server to determine the largest
workable window size.
The VMs used in this chapter (the PC0003 VM is created in this chapter).
Deploying the Windows 10 Client
Great work! At this point, you should have a deployment solution ready for deploying
Windows. We do recommend starting slowly, trying a few deployments at the time, until
you are confident that your configuration works as expected.
Real World Note: The MDT Monitoring feature can be extended even more. Because
the Event viewer and Task Scheduler work together, you can, for example, configure the
deployment server to send you an email after a successful deployment or event, and
even better, if a deployment fails.
Multicast Deployments
Multicast deployment allows for image deployment with reduced network load during
simultaneous deployments. Although multicast is a nice OS deployment feature in MDT
deployments, it requires that your network supports it and also is designed for it.
Requirements
Multicast requires that Windows Deployment Services (WDS) is running on Windows
Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to
be configured to support multicast. In general, this means involving the organization
networking team to make sure that Internet Group Management Protocol (IGMP)
snooping is turned on and that the network is designed for multicast traffic. The multicast
solution uses IGMPv3.
3. Verify that you are going to work on the correct USB stick by running the following
command:
$Disk
Verifying that you are working with the correct USB stick.
4. Continue if you see the correct disk in the list; otherwise, remove/replace the USB
stick.
5. Clear the disk from any existing volume by running the following command:
Clear-Disk –InputObject $Disk -RemoveData –confirm:$False
6. Create a partition on the USB stick by running the following command (the
command is wrapped and should be one line):
$Partition = New-Partition –InputObject $Disk -UseMaximumSize
7. Format the USB stick by running the following command (the command is wrapped
and should be one line):
Format-Volume -NewFileSystemLabel “BOOT” -FileSystem NTFS -Partition
$Partition –Confirm:$False
8. Assign a drive letter by running the following command (the command is wrapped
and should be one line):
Add-PartitionAccessPath -DiskNumber $Disk.Number -PartitionNumber 1 -
AssignDriveLetter
9. Get the assigned drive letter, and assign it to the $Volume variable by running the
following command:
$Volume = Get-Volume -FileSystemLabel “BOOT”
10. Review the assigned drive letter by running the following command:
$Volume
11. Make the USB stick active by running the following command (the command is
wrapped and should be one line):
Set-Partition -DriveLetter $Volume.DriveLetter -IsActive $True
12. Verify the configuration by running the following command (the command is
wrapped and should be one line):
Get-Partition -DriveLetter $Volume.DriveLetter | Select-Object *
Verifying the configuration.
13. Using File Explorer, copy the \MDT01\MDTProduction$\Boot\MDT
Production x64.iso file to C:\Setup\ISO.
14. Mount the C:\Setup\ISO\MDT Production x64.iso file by double-clicking on it.
15. Copy the content from the mounted ISO to the root of the USB stick.
Congrats! Now you have a bootable USB stick!
Real World Note: Please don’t use USB hard drives for your offline media
deployments. There are simply too many known issues with this. Use USB sticks
instead. While you may get offline media deployment to work from a USB hard drive,
we have seen too many cases where it fails because of the BIOS version/configuration
or hard drive model being used. What can happen is that MDT tries to deploy the image
to the external hard drive instead of using the internal drive, this because of how WinPE
enumerates the drives. Don’t say we didn’t warn you.
Real World Note: When creating offline media, never, ever, create a subfolder inside
the deployment share folder because that will break the offline media.
Configure the Offline Media
Offline media have their own rules, their own Bootstrap.ini and CustomSettings.ini files.
They are stored in the Control folder of the offline media, but can also be accessed via
properties of the offline media in the Deployment Workbench.
1. On MDT01, using File Explorer, copy the following files from
C:\Setup\MDTOfflineMedia\Control folder to
E:\MDTOfflineMedia\Content\Deploy\Control. Overwrite the existing files.
• Bootstrap.ini
• CustomSettings.ini
2. Using File Explorer, copy the C:\Setup\MDTOfflineMedia\Branding folder to
E:\MDTOfflineMedia\Content\Deploy.
3. Using the Deployment Workbench, navigate to MDT Production / Advanced
Configuration / Media, right-click MEDIA001, and select Properties.
4. In the General tab, configure the following:
• Clear the Generate x86 boot image check box.
• ISO file name: Windows 10 Offline Media.iso
The offline media properties.
5. In the Rules tab, remove the comment (;) from the WSUSServer line and type in
your WSUS server (WSUS01):
WSUSServer=http://wsus01.corp.viamonstra.com:8530
6. In the Windows PE tab, in the Platform drop-down list, make sure x64 is selected.
7. In the General sub-tab, configure the following setting:
In the Windows PE Customizations area:
Custom background bitmap file:
%DEPLOYROOT%\Branding\ViaMonstraLogo.bmp
8. In the Features sub-tab, enable the following components:
• DISM Cmdlets
• Microsoft Data Access Components (MDAC/ADO) support
• .NET Framework
• Windows PowerShell
• Secure Boot Cmdlets
• Storage Management Cmdlets
9. In the Drivers and Patches sub-tab, select the WinPE x64 selection profile and
select the Include all drivers from the selection profile option.
10. Click OK.
Real World Note: The full path in Windows cannot be longer than 260 characters, and
it’s often when you generate offline media that you run into that issue. This is because
the offline media adds the Content/Deploy folder to the existing path, and sometimes
that is all it takes to have the update fail. Fixing the problem is easy; just use a shorter
path when importing the operating system.
3. Verify that you are going to work on the correct USB stick by running the following
command:
$Disk
Verifying that you are working with the correct USB stick.
4. Continue if you see the correct disk in the list; otherwise, remove/replace the USB
stick.
5. Clear the disk from any existing volume by running the following command:
Clear-Disk –InputObject $Disk -RemoveData –confirm:$False
6. Partition the USB stick by running the following command (the command is
wrapped and should be one line):
$Partition = New-Partition –InputObject $Disk -UseMaximumSize
7. Format the USB stick by running the following command (the command is wrapped
and should be one line):
Format-Volume -NewFileSystemLabel “BOOT” -FileSystem NTFS -Partition
$Partition –Confirm:$False
8. Assign a drive letter by running the following command (the command is wrapped
and should be one line):
Add-PartitionAccessPath -DiskNumber $Disk.Number -PartitionNumber 1 -
AssignDriveLetter
9. Get the assigned drive letter, and assign it to the $Volume variable by running the
following command:
$Volume = Get-Volume -FileSystemLabel “USBDISK01”
10. Review the assigned drive letter by running the following command:
$Volume
11. Make the USB stick active by running the following command (the command is
wrapped and should be one line):
Set-Partition -DriveLetter $Volume.DriveLetter -IsActive $True
12. Copy the content of the MDTOfflineMedia\Content folder to the root of the USB
stick.
Congrats, now you have a bootable USB stick with a portable deployment solution!
Real World Note: The USB stick can be formatted with either FAT32 or NTFS, as
either works; however, we recommend using FAT32 to support UEFI deployment. There
is a limitation on FAT32 filesystem: it only allows file sizes up to 4 GB, but in MDT, it
is possible to overcome that limitation by using the split-WIM feature. The feature needs
to be enabled, as it’s disabled by default. To do that, open the Settings.xml file in the
Control folder and change <SkipWimSplit>True</SkipWimSplit> to
<SkipWimSplit>False</SkipWimSplit>. After this change, you need to update the
media deployment share.
Splitting the WIM when creating the media.
Chapter 12
Real World Note: You also copy and paste the imported operating system from MDT
Build Lab to MDT Production directly using the Deployment Workbench.
Real World Note: Data and settings that are migrated with USMT are often referred to
as “user state,” even though technically computer-specific data and settings also are
stored in the backup. You also don’t need to worry about getting junk migrated from the
old installation. USMT only migrates what you configure it to migrate.
In addition to the USMT backup, you can enable an optional full WIM backup of the
machine by configuring the MDT rules. If you do this, a .wim file is created in addition to
the USMT backup. This .wim file contains the entire volume from the computer, and
helpdesk personnel can extract content from it if needed.
Real World Note: Even though the optional backup is a .wim file, applying this image
to restore a running operating system is not supported. The intention of the .wim file is
to have a backup of data, not a computer backup that can be restored. We also have seen
customers who back up the machine to a VHD file instead. It uses much more disk
space, but the resulting VHD can then be used to create a virtual machine, which you
then can run as a VDI machine if something does not work correctly. Creating a VHD
file is done by running the disk2vhd.exe utility, which can be used as a command-line
utility in a task sequence.
Multi-User Migration
By default, ScanState backs up all profiles on the machine, even the local computer
profiles that you are normally not very interested in. Also, if you have a machine that has
been in your environment for a while, the odds are that it has quite a few domain-based
profiles on it, including those of users who no longer use the computer. This, of course,
depends on the environment, but it’s nice for you to know that you can limit which
profiles are backed up by configuring command-line switches to ScanState (added as rules
in MDT).
In ViaMonstra, each machine usually has a primary user, meaning there are not many
domain user profiles on each machine. For this scenario, it makes sense to configure
ScanState to capture only domain-based profiles. As you may remember from Chapter 10,
the CustomSettings.ini file (the rules) has the following line:
ScanStateArgs=/ue:*\* /ui:VIAMONSTRA\*
This line configures ScanState to back up only domain-based profiles on your machines.
Real World Note: If you have many user domain profiles on your machines, it probably
makes more sense to use the /uel switch which excludes profiles that have not been
accessed within a specific number of days. For example, adding /uel:60 configures
ScanState (or LoadState) not to include profiles that haven’t been accessed for more
than 60 days.
Note: Yes, the folders are still named USMT5 even though you are using USMT from
Windows ADK 10 in them.
2. Start Notepad from an elevated PowerShell prompt, and then edit the
E:\MDTProduction\Control\CustomSettings.ini file. After the
USMTMigFiles002=MigUser.xml line add the following line:
USMTMigFiles003=MigViaMonstraData.xml
Note: This is the optional full WIM backup you skip. The USMT backup will still run.
Real World Note: When a computer is being retired, there might be a lot of additional
actions that should occur, such as disabling the computer account in Active Directory. If
you need additional automation around removing/replacing a computer, consider adding
Orchestrator Runbooks, web services, or scripts that perform other configuration
actions. Such actions ensure the machine is removed from all systems.
Step-by-Step Guide Requirements
If you want to run the step-by-step guides in this chapter, you need a lab environment
configured as outlined in Chapter 1 and Appendix A. In this chapter, you use the
following virtual machines:
The VMs used in this chapter (you create the PC0005 VM in this chapter).
Preparing for the Computer Replace
In this chapter, the scenario is to replace PC0002 (running Windows 10, previously
upgraded from Windows 7 SP1 via the computer refresh scenario) with PC0005 (a new
machine, not yet deployed). The high-level steps to do this are the following:
1. Create the replace task sequence.
2. Run the replace task sequence (the backup only task sequence) on the old computer
(PC0002).
3. Perform a bare metal deployment of the new computer (PC0005).
Real World Note: With Windows 10, the replace computer scenario also can be used to
change a machine configuration from BIOS to UEFI.
Depending of the size of your organization, you might need to do some storage
calculations before starting to do computer replace deployments. We have seen customers
underestimate the actual amount of data being copied over the network, forcing them to
slow down the overall deployment project. You also might need to dedicate additional
storage on the MDT server.
There are two things that could help you keep storage usage down a bit. If your server
runs Windows Server 2012 or later (like you do if you are using the proof-of-concept
environment for this book), you can enable the data deduplication feature. (data
deduplication was enabled as part of preparing MDT01 in Chapter 7.) You also can use the
File Server Managers automation functions to schedule a cleanup job for the MigData
folder.
Note: Make sure not to add a trailing backslash () to the location, which will break the
backup.
d. Password: P@ssw0rd
The task sequence now runs USMT (Scanstate.exe) to capture user data and settings
of the machine.
Real World Note: If you add WipeDisk=YES to your rules, MDT will also do a secure
wipe of the old machine. Secure wipe in this case is not a US Department of Defense
(DoD) approved secure wipe, but is using the format /p:3 feature that overwrites every
sector with zeros, three times. You can also create your own action to wipe the disk
using other tools like DaRT from MDOP 2015 to accomplish that.
Real World Note: This option is used when using the offline USMT backup, enabling
you to capture USMT data from WinPE.
The Offline USMT Backup option.
e. Specify whether to restore user data: Specify a location
Location: \MDT01\MigData$\PC0002
f. Applications: Select the following applications:
• Install - Adobe Acrobat Reader DC
• Install - Oracle Java 8
g. Do not enable BitLocker for this computer: Selected
3. The setup starts and does the following:
a. Installs the Windows 10 operating system
b. Joins the corp.viamonstra.com domain
c. Installs the selected applications
d. Restores the backup previously captured from PC0002
4. When the setup is completed, log on as VIAMONSTRA\frank.sheep and verify
that the customizations you did on PC0002 have been restored.
Chapter 15
Real World Note: The coolest feature in DaRT is no doubt the remote connection
capabilities that allow you to connect to WinPE remotely.
The VMs used in this chapter (you create the PC0006 VM in this chapter).
Real World Note: You don’t need to enable the normal monitoring to use remote
connection. The connection information can be found in the bdd.log file, but it really
helps to have the normal monitoring enabled because then you can simply double-click
the machine you want to remote into and connect to it directly from the Deployment
Workbench.
In these steps, we assume that you downloaded MDOP 2015 and copied DaRT 10 to
C:\Setup\DL\DaRT 10 on MDT01.
Note: MDOP 2015 is available for Software Assurance customers and can be
downloaded from the Volume Licensing Service Center (VLCS).
Deploying PC0006. Note the minimized window in the lower left corner, which is
DaRT.
d. Move Data and Settings: Do not move user data and settings
e. Specify whether to restore user data: Do not restore user data and settings
f. Applications: Select the following applications:
• Install - Adobe Acrobat Reader DC
• Install – Oracle Java 8
g. Do not enable BitLocker for this computer: Selected
3. Start the deployment, and then switch over to MDT01.
4. On MDT01, using the Deployment Workbench, navigate to MDT Production /
Monitoring and double-click PC0006.
5. In the PC0006 properties window, select DaRT Remote Control.
You are now connected to PC0006 remotely.
Enabling BitLocker
BitLocker is the disk volume encryption built into the Windows 10 Pro and Enterprise
editions. From an operating system deployment point of view, BitLocker requires two
things:
• A protector, which can be stored in the Trusted Platform Module (TPM) chip or
stored as a password. Technically, you also can use a USB stick to store the protector,
but that’s not a very good solution at all. Please use TPM and/or password.
• Multiple partitions on the hard drive.
Real World Note: Even though it’s not a BitLocker requirement, we recommend
configuring BitLocker to store the recovery key and TPM owner information in Active
Directory. In Chapter 7, you learned how to enable this for the ViaMonstra environment.
For additional detailed information about these features, see: http://tinyurl.com/ylrhssa.
Step-by-Step Guide Requirements
If you want to run the step-by-step guides in this chapter, you need a lab environment
configured as outlined in Chapter 1 and Appendix A. In this chapter, you use the
following virtual machines:
The VMs used in this chapter. (The PC0007 machine is a physical machine used for
BitLocker.)
MDT and BitLocker
Dealing with multiple partitions is not a problem because it’s handled by MDT. However,
enabling the TPM can be tricky because it involves configuring the computer BIOS.
Fortunately, most major vendors offer tools that allow you to enable the TPM chip as part
of your deployment.
To configure the ViaMonstra environment for BitLocker, you need to do the following:
1. Configure Active Directory for BitLocker (already done in Chapter 7).
2. Download the various BitLocker scripts and tools.
3. Configure the operating system deployment task sequence for BitLocker.
4. Configure the rules (CustomSettings.ini) for BitLocker.
Real World Note: If you wonder where the old Dell Client Configuration Toolkit
(CCTK) tool is, just look in the Dell Command | Configure installation folder and you’ll
find it.
The Dell Command | Configure toolset allows you to create a configuration very easily
and then export it as an INI, CCTK, or EXE file. This can then be added to your
deployment process to run fully automated as part of the Windows 10 deployment.
Creating a configuration package for the Dell XPS 13.
Real World Note: In Windows Server 2016 TP4 or Windows 10 v.1511 or later, you
also have a virtual TPM chip you that enables you to use BitLocker, with TPM
protection, in virtual machines.
1. Configure the machine (PC0007) on which you are testing BitLocker to have TPM
enabled.
2. Start the machine, press Enter and allow it to boot WinPE (PXE), and complete the
Windows Deployment Wizard using the following settings:
a. Password: P@ssw0rd
b. Select a task sequence to execute on this computer: Custom Windows 10
Enterprise x64
c. Computer name: PC0007
d. Move Data and Settings: Do not move user data and settings
e. Specify whether to restore user data: Do not restore user data and settings
f. Applications: Select the following applications:
• Install - Adobe Acrobat Reader DC
• Install – Oracle Java 8
g. Specify the BitLocker configuration: Enable BitLocker
Assigning Settings
When using MDT, you can assign settings in three distinct ways: You can prestage the
information before deployment, prompt the user or technician for information, or have
MDT generate the settings automatically.
Sample Configurations
Before adding the more advanced components like databases and web services (Chapters
18 and 19), it makes sense to give you a few samples of commonly used configurations so
you can see for yourself the power the rules engine gives you.
[Default]
OSInstall=YES
[00:15:5D:85:6B:00]
OSDComputerName=PC00075
In the preceding sample, you set the PC00075 computer name for a machine with a MAC
address of 00:15:5D:85:6B:00.
[Default]
OSInstall=YES
[CND0370RJ7]
OSDComputerName=PC00075
In this sample, you set the PC00075 computer name for a machine with a serial number of
CND0370RJ7.
Generate a Computer Name Based on a Serial Number
You also can configure the rules engine to use a known property, like a serial number, to
generate a computer name on the fly.
[Settings]
Priority=Default
[Default]
OSInstall=YES
OSDComputerName=PC-%SerialNumber%
In this sample, you configure the rules to set the computer name to a prefix (PC-) and then
the serial number. If the serial number of the machine is CND0370RJ7, the preceding
configuration sets the computer name to PC-CND0370RJ7.
Real World Note: Be careful when using the serial number to assign computer names.
A serial number can contain more than 15 characters, and the Windows setup becomes
quite upset if you try to use a computer name with more than 15 characters.
[Default]
OSInstall=YES
OSDComputerName=PC-#Left(“%SerialNumber%”,12)#
In the preceding sample, you still configure the rules to set the computer name to a prefix
(PC-) and then the serial number. However, by adding the Left VBScript function, you
configure the rule to use only the first 12 serial number characters for the name.
[Default]
SLShare=\MDT01\Logs$
[ByLaptopType]
Subsection=Laptop-%IsLaptop%
[Laptop-True]
Applications001={855f08f0-def5-4298-9b5e-6fbbb513754a}
The IsLaptop property requires you to use a subsection in the rules. This is why there are
two sections to relate to the configuration, the ByLaptopType and the Laptop-True
sections.
Real World Note: The Applications property, when used in combination with the
Deployment Wizard, shows the application as selected, but it is still possible to deselect
it. If you want to select the application, but don’t want the user or technician to be able
to deselect it, you can use the MandatoryApplications property instead.
UserExit Scripts
MDT supports calling external VBScripts as part of the Gather process; these scripts are
referred to as UserExit scripts. In this section, you configure the rules to use a UserExit
script to generate computer names based on a prefix and the computer MAC address. The
script also removes the colons in the MAC address.
[Default]
OSINSTALL=YES
UserExit=Setname.vbs
OSDComputerName=#SetName(“%MACADDRESS%”)#
The UserExit=Setname.vbs calls the script and then assigns the computer name to what
the SetName function in the script returns. As you can see, in this sample, the
%MACADDRESS% variable is passed to the script.
UserExit = Success
End Function
Function SetName(sMac)
Dim re
End Function
The first three lines of the script just make up a header that all UserExit scripts have. The
interesting part is the lines between Function and End Function. Those lines do the magic
of adding a prefix (PC), removing the colons from the MAC address, and returning the
value to the rules by setting the SetName value.
Note: The purpose of this sample is not to recommend that you use the MAC address as
a base for computer naming, but rather to show you how to take a variable from MDT,
pass it to an external script, make some changes to it, and then return the new value to
the deployment process.
[HardwareInfo]
UserExit=AliasUserExit.vbs
ModelAlias=#SetModelAlias()#
[Default]
OSINSTALL=YES
The C:\MDT folder with the files added for the test environment.
11. Using an elevated PowerShell prompt (run as administrator), run the following
commands (pressing Enter after each command):
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\MDT
.\Gather.ps1
Note: Don’t worry about warnings or errors with regard to the Wizard.hta. They are
expected. If the log file looks okay, you are ready to try a real deployment. Good luck!
3. Check whether SQL Server has started by running the following command:
Get-Process –Name *SQL*
Configure the Firewall for the SQL Server 2014 Browser Service
When using SQL Server 2014 SP1 Express, the setup creates a separate instance named
SQLEXPRESS. Because we are using a separate instance, you need the have SQL Server
Browser service to be fully operational.
The SQL Server Browser service is blocked by the Windows Firewall by default, and to
have the MDT database working, you need to allow inbound traffic for this service on
MDT01. The SQL Server Browser service uses port 1434 UDP, so you open that port for
inbound traffic.
1. On MDT01, start an elevated PowerShell prompt.
2. Configure the firewall by running the following command:
C:\Setup\Scripts\Set-VIASQLFirewall.ps1
2. In the Connect to Server dialog box, in the Server name list, select
MDT01\SQLEXPRESS and click Connect.
Connecting to the MDT database in SQL Server 2014 Management Studio.
3. In the Object Explorer pane, expand the top Security node, right-click Logins, and
select New Login.
4. On the Login – New page, in the Login name field, type
VIAMONSTRA\MDT_BA. Then in the left pane, select User Mapping. Select the
MDT database, and assign the following roles:
• db_datareader
• db_datawriter
• public (default)
5. Click OK, and close SQL Server 2014 Management Studio.
Creating the login and settings permissions to the MDT database.
Real World Note: Adding a single entry manually is all right. However, if you want to
add multiple entries, we recommend that you use the SQL Server 2014 Express import
features, or perhaps use PowerShell to bulk import your clients. Here is a list of
resources for different ways of bulk importing data into the MDT database:
“Deploying Windows 7 - Part 22: Bulk Populating the MDT Database Using
PowerShell,” by Mitch Tulloch: http://tinyurl.com/mdtbulkimport1
Credit: Maik Koster kindly granted us permission to use his Deployment Webservice in
this book. The full documentation is available on Codeplex:
http://mdtcustomizations.codeplex.com.
In the following sections, you learn to use a web service that interacts with Active
Directory. The function you use when interacting with Active Directory is the
MoveComputerToOU function, which allows you to move computer accounts between
OUs during deployment. This is very useful when you start Windows 10 pilot projects and
want to have your Windows 10 machines in a new OU structure.
Step-by-Step Guide Requirements
If you want to run the step-by-step guides in this chapter, you need a lab environment
configured as outlined in Chapter 1 and Appendix A. In this chapter, you use the
following virtual machines:
3. Set the Active Directory permissions for the Staging OU by running the following
command (the command is wrapped and should be one line):
C:\Setup\Scripts\Set-VIAOUPermissions.ps1
-Account MDT_WS
-TargetOU “OU=Staging,OU=Internal IT,OU=ViaMonstra”
Real World Note: If you feel that testing should be done using PowerShell, it is
absolutely possible. In this blog post, you can learn how to perform actions against web
services directly using PowerShell: http://tinyurl.com/of8gcvr.
The Active Directory web service, showing the only enabled function.
3. On the Active Directory page, select the MoveComputerToOU function.
4. Use the following settings:
a. ComputerName: PC0008
b. OUPath: OU=Staging,OU=Internal IT,OU=ViaMonstra,DC=corp,
DC=viamonstra,DC=com
c. Click Invoke.
After invoking the MoveComputerToOU function.
5. On DC01, using Active Directory User and Computers, select the ViaMonstra /
Internal IT / Staging OU, and press F5. The PC0008 computer should now be in
this OU.
The PC0008 computer after being moved to the Staging OU by the web service.
b. Verify that the StagingOU value in the Default section looks like this:
[Default]
_SMSTSORGNAME=ViaMonstra
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=P@ssw0rd
JoinDomain=corp.viamonstra.com
DomainAdmin=VIAMONSTRA\MDT_JD
DomainAdminPassword=P@ssw0rd
StagingOU=ou=Staging,ou=Internal IT,ou=ViaMonstra,dc=corp,
dc=viamonstra,dc=com
MachineObjectOU=ou=Workstations,ou=viamonstra,dc=corp,
dc=viamonstra,dc=com
…
Real World Note: By now you probably realize the true power of web services.
However, please note that some of the web service functions can be pretty dangerous if
they can be used by anyone. For a guide to securing the Deployment Webservice, see
http://tinyurl.com/ws73sec.
Appendix A
Real World Note: Don’t go cheap on the disk drive. If using a normal laptop or desktop
when doing the step-by-step guides in this book, please, please, please use a SSD drive
for your virtual machines. Using normal spindle-based disks are just too slow for a
decent lab and test environment. Also, please note that most laptops support at least 16
GB RAM these days, even if many vendors do not update their specifications with this
information.
The Base Servers
Using the hydration kit, you build the following list of servers.
Real World Note: You also can use a Linux-based system for routing the network
traffic. For detailed guidance on setting up a Linux-based virtual router for your lab
environment, see this article: http://tinyurl.com/usingvirtualrouter.
Setting Up the Hydration Environment
Again, to enable you to quickly set up the servers and clients used for the step-by-step
guides in this book, we provide you with a hydration kit (part of the book sample files)
that builds all the servers and clients. The sample files are available for download at
http://deploymentfundamentals.com.
5. After the downloads are compete, copy the Windows Server 2012 R2 installation
files (the content of the ISO, not the actual ISO) to the following folder:
C:\Setup\DL\Windows_Server_2012_R2
Windows Server 2012 R2, including the November 2014 rollup update.
6. Copy the Windows 7 SP1 Enterprise x64 installation files (again, the content of
the ISO, not the actual ISO) to the following folder:
C:\Setup\DL\Windows_7_SP1_Enterprise_x64
The C:\Setup\DL folder after downloading the needed files.
Note: MDT requires local administrator rights/permissions. You need to have at least 60
GB of free disk space on C: for the hydration kit and about 500 GB of free space for the
volume hosting your virtual machines. Also make sure to run all commands from an
elevated PowerShell prompt.
4. After creating the hydration deployment share, review the added content using the
Deployment Workbench (installed as part of the MDT setup).
The Deployment Workbench with the ready-made applications listed.
Note: The most common reason for failures in the hydration kit are related to antivirus
software preventing the ISO from being generated correctly. If you see any errors in the
update media content process, disable (or uninstall) your antivirus software, and then try
the update again. Anyway, the media update takes a while to run, so it’s a perfect time
for a coffee break. J
After the media update, you have a big ISO (HydrationDF6.iso) in the
C:\HydrationDF6\ISO folder. The ISO will be between 7 and 8 GB in size depending on
which Windows media you have been using. (You have probably noticed that Microsoft
offers Windows Server 2012 R2 ISO files with updates already installed, and these ISO
files are larger.)
Deploy GW01
GW01 is an optional server used as a virtual router. Again, this allows for having the other
virtual machines on an isolated network but still being able to access the Internet. If your
virtual platform is already configured to provide Internet access to your VMs (for
example, you are using the NAT network feature in VMware Workstation, or you are on a
dedicated lab network that allows you to run your own DHCP server), you can skip
creating the GW01 virtual machine.
Note: If you have Hyper-V installed on your host PC or server and have created a virtual
switch named Internal, you can use the New-DF6LAB.ps1 script from the book sample
files for the fully automated creation of the various virtual machines you need for the
guides in this book. If you review the script, you can see, for example, that the following
PowerShell script is used to create the DC01 virtual machine:
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: GW01
b. Memory: 1 GB (minimum, 2 GB recommended)
c. Hard drive: 100 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f. vCPUs: 2 (minimum, 4 recommended)
2. Start the GW01 virtual machine. After booting from HydrationDF6.iso, and after
WinPE has loaded, select the GW01 task sequence.
Note: It might take some time before the task sequence list is displayed. WinPE tries
really hard to get an IP address from the DHCP, but because we don’t have one, we’ll
just wait.
3. Wait until the setup is complete and you see the Hydration completed message in
the final summary. Verify that there is no ISO file mounted in the GW01 virtual
machine, and leave virtual machine running.
GW01 Post-Deployment OS Configurations
After the initial deployment of GW01 is completed, you need to do additional post-
deployment OS configurations like adding a second virtual network adapter and installing
Routing and Remote Access (RRAS).
4. After the GW01 virtual machine is restarted, log in again and start Routing and
Remote Access to review the configuration.
Real World Note: First, restarting GW01 is not really required because of the Routing
and Remote Access configuration, but it’s nice to do a final reboot after completing the
configuration and make sure everything starts properly. Also, please note that Routing
and Remote Access service is configured with a delayed start, so give it some time to
start. A service configured for delayed start starts two minutes after the last “automatic”
service has started.
Routing and Remote Access configured via PowerShell. Ethernet 2 is the public NAT
interface.
Deploy DC01
This is the primary domain controller used in the environment, and it also runs DNS and
DHCP.
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: DC01
b. Memory: 1 GB (minimum, 2 GB recommended)
c. Hard drive: 100 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f.. vCPUs: 2
2. Start the DC01 virtual machine. After booting from HydrationDF6.iso, and after
WinPE has loaded, select the DC01 task sequence.
Real World Note: Using a dynamic disk is really useful for a lab and test environment
because the host PC uses only the actually consumed space on the virtual hard drive and
not the size that you enter like a fixed disk would.
The initial deployment of DC01 completed, showing the custom final summary screen.
Note: During the configuration of Active Directory and DNS, a decent number of
warnings pop up. The warnings are warnings regarding changes in Active Directory that
prevent NT domain controllers from joining in. That should not be a problem for you.
3. Configure the Active Directory site subnet by running the following command (the
command is wrapped and should be one line):
C:\Setup\Scripts\Set-VIAADSiteSubnet.ps1 -SiteName “NewYork” -ADSubnets
“192.168.1.0/24”
Real World Note: If you want to add multiple subnets to a site, you can specify them as
an array: -ADSubnets “192.168.1.0/24”,“192.168.2.0/24”
Real World Note: You may want to change the command to use a time server pool
close to your location. Check http://www.pool.ntp.org for a list for your country.
Install DHCP
DC01 also should run the DHCP service. In this guide, you run a script that installs and
configures the DHCP server.
Note: If you have another DHCP server running in your network, now is a good time to
disable it.
3. Authorize DHCP in Active Directory and configure the DHCP security group by
running the following command:
C:\Setup\Scripts\Set-VIARoles.ps1 -Role DHCP
4. Create the DHCP scope by running the following command (the command is
wrapped and should be one line):
C:\Setup\Scripts\Set-VIADHCP.ps1 -OSDAdapter0Net “192.168.1.0” -
OSDAdapter0SubnetMaskPrefix “24” -DHCPScopeStart “100” -DHCPScopeEnd
“199” -ScopeFQDN “corp.viamonstra.com” -ScopeDNS1 “192.168.1.200” -
ScopeRouter “192.168.1.1”
5. Verify the setup by opening DHCP Manager and reviewing the settings.
Deploy MDT01
MDT01 is the server used for MDT and WDS.
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: MDT01
b. Memory: 2 GB (minimum, 4 GB recommended)
c. Hard drive: 300 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f. vCPUs: 2 (minimum, 4 recommended)
2. Make sure the DC01 virtual machine is running, and then start the MDT01 virtual
machine. After booting from HydrationDF6.iso, and after WinPE has loaded, select
the MDT01 task sequence. Wait until the setup is complete and you see the
Hydration completed message in the final summary. Verify that there is no ISO file
mounted on the MDT01 virtual machine.
Deploy MDT02
MDT02 is an optional server used for the distributed environment topic covered in
Appendix B. You need this server only if you want to try that scenario.
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: MDT02
b. Memory: 2 GB (minimum, 4 GB recommended)
c. Hard drive: 300 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f. vCPUs: 2 (minimum, 4 recommended)
2. Make sure the DC01 virtual machine is running, and then start the MDT02 virtual
machine. After booting from HydrationDF6.iso, and after WinPE has loaded, select
the MDT02 task sequence. Wait until the setup is complete and you see the
Hydration completed message in the final summary. Verify that there is no ISO file
mounted on the MDT02 virtual machine.
Deploy WSUS01
WSUS01 is the server used for Windows Software Update Services.
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: WSUS01
b. Memory: 2 GB (minimum, 4 GB recommended)
c. Hard drive: 300 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f. vCPUs: 1 (minimum, 2 recommended)
2. Make sure the DC01 virtual machine is running, and then start the WSUS01 virtual
machine. After booting from HydrationDF6.iso, and after WinPE has loaded, select
the WSUS01 task sequence. Wait until the setup is complete and you see the
Hydration completed message in the final summary. Verify that there is no ISO file
mounted on the WSUS01 virtual machine.
Deploy PC0001
This is a client running Windows 7 SP1 Enterprise x64 in the domain.
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: PC0001
b. Memory: 2 GB
c. Hard drive: 60 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f. vCPUs: 1 (minimum, 2 recommended)
2. Start the PC0001 virtual machine. After booting from HydrationDF6.iso, and after
WinPE has loaded, select the PC0001 task sequence. Wait until the setup is
complete and you see the Hydration completed message in the final summary.
Verify that there is no ISO file mounted on the PC0001 virtual machine.
Deploy PC0002
This is an extra client running Windows 7 SP1 Enterprise x64 in the domain.
1. Using Hyper-V Manager or VMware Sphere, create a virtual machine with the
following settings:
a. Name: PC0002
b. Memory: 2 GB
c. Hard drive: 60 GB (dynamic disk)
d. Network: The virtual network you use for the virtual machines
e. Image file (ISO): C:\HydrationDF6\ISO\HydrationDF6.iso
f. vCPUs: 1 (minimum, 2 recommended)
2. Start the PC0002 virtual machine. After booting from HydrationDF6.iso, and after
WinPE has loaded, select the PC0002 task sequence. Wait until the setup is
complete and you see the Hydration completed message in the final summary.
Verify that there is no ISO file mounted on the PC0002 virtual machine.
Appendix B
Note: This Appendix assumes that you have configured MDT01 for production
deployments as outlined in Chapter 10: “Setting Up MDT for Production Deployment”.
Replicating Deployment Shares
Replicating the content between MDT01 and MDT02 can be done in a number of different
ways. The most common content replication solutions with MDT are to use either the
MDT-linked deployment share feature or Distributed File System Replication (DFS-R).
We have even seen some organizations use a simple Robocopy script for replication of the
content.
Real World Note: Even if Robocopy seems to be a simple solution, it actually can work
quite nicely. Robocopy does have options that allow for synchronization between
folders; it has a simple reporting function; it supports transmission retry; and by default,
it only copies files from the source that are newer than files on the target.
2. You can verify replication health using the UI (See “Verify Replication” later n this
appendix for more information) or PowerShell. Here is a simple PowerShell
command to generate an HTML report in the C:\DFSReports folder (the command
is wrapped and should be one line, also the C:\DFSReports folder must exist):
Write-DfsrHealthReport -GroupName “MDT” -ReferenceComputerName “MDT01”
-Path C:\DFSReports
3. The output gives a file location that you then can open using PowerShell:
Invoke-Item -Path C:\DFSReports\Health-MDT-xyzzyx.html
Real World Note: It takes quite a bit of time for the replication configuration to be
picked up by the replication members (MDT01 and MDT02), and of course the initial
sync also takes some time, depending on the WAN link speed between the sites. Even in
a lab and test environment, the initial configuration may take an hour to complete. After
that, delta changes are replicated quickly.
[DefaultGateway]
192.168.1.1=NewYork
192.168.2.1=Stockholm
[NewYork]
DeployRoot=\MDT01\MDTProduction$
[Stockholm]
DeployRoot=\MDT02\MDTProduction$
[Default]
UserDomain=VIAMONSTRA
UserID=MDT_BA
SkipBDDWelcome=YES
With these settings, a client on the NewYork network uses the NewYork deployment
share, and a client on the Stockholm network uses the deployment share in Stockholm.
Real World Note: You also can use the MDT database to store information on what
server to connect to. You learn about the MDT database in Chapter 18.
Appendix C
Add the Microsoft Office 2016 Pro Plus x86 Installation Files
1. On MDT01, using the Deployment Workbench, expand the deployment share to
which you want to add Office 2016 and navigate to Applications.
2. Right-click Applications and select New Application. Use the following settings
for the New Application Wizard:
a. Application with source files
b. Publisher: <blank>
c. Application name: Install - Microsoft Office 2016 Pro Plus - x86
d. Version: <blank>
e. Source directory: C:\Setup\DL\Microsoft Office 2016 Pro Plus x86
f. Specify the name of the directory that should be created: Install - Microsoft
Office 2016 Pro Plus - x86
g. Command line: Setup.exe
h. Working directory: <default>
Note: If you don’t see the Office Products tab, verify that you are using a volume
license version of Office 2016.
The Install - Microsoft Office 2016 Pro Plus - x86 application properties.
3. In the Office Customization Tool dialog box, select the Create a new Setup
customization file for the following product option, select the Microsoft Office
Professional Plus 2016 (32-bit) product, and click OK.
4. Use the following settings to configure the Office 2016 setup to be fully unattended:
a. Install location and organization name
Organization name: ViaMonstra
b. Licensing and user interface
• Use KMS client key
• Select: I accept the terms in the License Agreement
• Display Level: None
The licensing and user interface screen in the Microsoft Office Customization Tool.
c. Modify Setup properties
Add the SETUP_REBOOT property and set the value to Never.
d. Modify user settings
In the Microsoft Office 2016 node, expand Privacy, select Trust Center,
and enable the Disable Opt-in Wizard on first run setting.
5. In the File menu, select Save, and save the configuration as
0_Office2016ProPlusx86.msp in the <Deployment Share>\
Install - Microsoft Office 2016 Pro Plus - x86\Updates folder.
Real World Note: The reason for naming the file with a 0 (zero) at the beginning is that
the Updates folder also handles Microsoft Office updates, and they are installed in
alphabetical order. The Office 2016 setup works best if the customization file is installed
before any updates.
6. Close the Office Customization Tool, click Yes in the dialog box and in the Install
- Microsoft Office 2016 Pro Plus - x86 Properties window, and click OK.
Real World Note: If you also want to use the Config.xml file that Office 2016 supports,
for example, for language settings, you need to do an “interesting” series of actions J.
First, you need to close the Office application properties and open them again, but
before clicking the Office Products tab to do the configuration, you need to click each
tab in order: General, Details, Dependencies, and then Office Products. If you don’t do
this, the install command will not change.
Using the Office 2016 Config.xml file.
Index
A
ACM, 22
ACT, 21
Active Directory, 75
Active Directory-Based Activation, 15
Adding applications, 102, 130
ADMX Templates, 81
Appendix A, 249, 275, 279
Application Compatibility Manager, 22
Application Compatibility Toolkit, 21
Application Pool, 239
Applications, 27
App-V, 35
Automation Level, 11
B
Base Clients, 250
Base Servers, 249
BIOS Configuration, 204
BitLocker, 82, 203
Blogs, 2
Boot image drivers, 136
Boot images, 27
C
Compatibility Administrator, 22
Computer refresh, 7
Computer Refresh, 10, 183
Computer replace, 7
Computer Replace, 10, 189
ConfigMgr 2012 R2 Toolkit, 89
CustomSettings.ini, 120, 170
D
DaRT, 33, 195
Data Deduplication, 16
Data DeDuplication, 89
Database, 223
Database Permissions, 226
Database roles, 230
Default image, 11
Dell hardware, 13
Dell XPS 13, 140
Deployment Methods, 11
Deployment Scenarios, 7
Deployment Share, 26
Deployment Webservice, 236
Device Guard, 45
Diagnostics and Recovery Toolset, 195
DISM, 18
Drivers, 13, 106, 131
Drivers Repository, 27
Dynamic Deployment, 211
H
Hardware, 4
HP hardware, 13
Hybrid image, 13
Hydration Kit, 249
Hyper-V, 45, 249
I
IIS, 237
Images, 11
In-place upgrade, 7, 8, 177
Intel NUC, 137
J
Johan Arwidmark, iv
K
Key Management Service, 16
KMS, 16
L
Lenovo hardware, 13
Lite Touch, 25
Logging, 31
M
MAP, 23
MDOP, 32
MDT, 25
MDT 2013 Update 2, 88
Microsoft Application Virtualization, 35
Microsoft Assessment and Planning Toolkit, 23
Microsoft Deployment Toolkit, 25
Microsoft Desktop Optimization Pack, 32
Microsoft Diagnostics and Recovery Toolset, 33
Microsoft hardware, 13
Microsoft Most Valuable Professional, iv
Microsoft Office 2010 Pro Plus x86, 279, 280
Microsoft Office 2016 Click-to-Run, 102
Microsoft Passport, 44
Microsoft User Experience Virtualization, 34
Mikael Nyström, iv
Monitoring, 31
MoveComputerToOU, 242
N
New computer, 7, 9, 155
O
OEM, 7
Office 2010 Pro Plus x86, 102
Office 2016, 49
Office Customization Tool, 280
Operating Systems, 27
P
Packages, 27
PoC Environment, 249
PowerShell, 53
PowerShell Direct, 46
PowerShell ISE, 56
Prestage, 223
Production Deployment, 127
Provisioning Packages, 20
R
Reference images, 12
Reference Images, 97, 106, 123
Remote Connection, 195
Report Viewer 2008 SP1, 90
Rules, 26, 115, 118, 211
S
sample files, 2
SCM, 24
Security Compliance Manager, 24
Selection Profiles, 31
Servers, 5
Service Accounts, 76
Software, 5
SQL Server 2014 SP1 Express, 91, 224
Standard User Analyzer, 22
Start Menu, 42
Surface Pro 3, 139
Suspend Action, 111
T
Task Sequence Templates, 30
Task Sequences, 28
Test Environment, 218
TFTP Configuration, 152
Thick image, 12
Thin image, 12
TPM, 205
U
UEFI, 9
UE-V, 34
Unattend.xml, 113
Universal Applications, 43
UserExit, 215
V
VAMT, 20
ViaMonstra Inc., 1, 3
Virtual Secure Mode, 45, 86
VMware ESXi, 249
VMware Workstation, 249
Volume Activation, 15
Volume Activation Management Tool, 20
VSM, 45
W
WDS, 89, 150, 199
Web server, 237
Web services, 235
Windows 10 Editions, 37
Windows 10 Education, 38
Windows 10 Enterprise, 38
Windows 10 IoT, 38
Windows 10 Pro, 38
Windows ADK 10, 87
Windows as a Service, 39, 40
Windows Deployment Services, 24, 150
Windows Hello, 45
Windows ICD, 20
Windows PE, 21
Windows Server Update Services, 32, 90
WSIM, 19
WSUS, 32, 90
Z
Zero Touch, 25
Beyond the Book – Meet the Experts
If you liked their book, you will love to hear them in person.
Live Presentations
Johan and Mikael frequently speak at Microsoft conferences around the world, such as
Microsoft Management Summit (MMS) and TechEd. For current tour dates and
presentations, see our blogs:
• Mikael Nyström: http://deploymentbunny.com
• Johan Arwidmark: http://deploymentresearch.com
Video Training
For video-based training, see the following site:
http://deploymentartist.com
Live Instructor-led Classes
Johan and Mikael present scheduled instructor-led classes in the US and in Europe. For
current dates and locations, see the following sites:
• http://labcenter.se
• http://truesec.com
• http://deploymentartist.com
Twitter
Johan and Mikael also tweet on the following aliases:
• Mikael Nyström: @mikael_nystrom
• Johan Arwidmark: @jarwidmark